CVE-2025-49794: 
Linux Debian vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2025-49794) was discovered in libxml2, affecting multiple versions across different distributions including Debian Bullseye and Bookworm releases. The vulnerability was initially reserved on June 10, 2025, and was officially published on June 16, 2025. The issue occurs when parsing XPath elements under specific circumstances where the XML schematron has schema elements (NVD, Debian Tracker).

The vulnerability has received a CVSS v3.1 base score of 9.1 (Critical), characterized by a network-based attack vector, low attack complexity, and requires no privileges or user interaction. The vulnerability specifically manifests in the xmlSchematronGetNode function when processing XPath expressions in Schematron schema elements, where a pointer to freed memory is returned and then accessed, leading to undefined behavior (Wiz Database, Red Hat Bugzilla).

The vulnerability poses significant risks to system integrity and availability. When successfully exploited, it can result in a total loss of integrity, allowing attackers to modify protected files. Additionally, it can lead to complete availability loss, enabling attackers to fully deny access to resources in the impacted component. The vulnerability allows malicious actors to craft malicious XML documents that can cause program crashes or trigger other undefined behaviors (Wiz Database).

Currently, there is no fixed version available for the affected libxml2 package in Debian 11 and other affected distributions. The issue is being tracked as a minor issue in Bookworm and is pending upstream fixes. The vulnerability affects multiple packages including libxml2-devel and libxml2-python+3 (Debian Tracker).