CVE-2025-49796: 
Rocky Linux vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-49796) was discovered in libxml2, first reported on June 14, 2025, and publicly disclosed on June 16, 2025. The vulnerability affects the processing of sch:name elements in XML files, which can trigger memory corruption issues. This security flaw impacts multiple versions of libxml2 across different platforms, including Red Hat Enterprise Linux and Debian systems (Wiz Report, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (Critical), characterized as an out-of-bounds read condition (CWE-125) in libxml2. The vulnerability can be exploited remotely without requiring special privileges or user interaction. The attack vector is network-based, with low attack complexity and no requirements for privileges or user interaction, as indicated by the CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (NVD, Wiz Report).

When successfully exploited, this vulnerability can lead to a total loss of integrity and availability of the affected systems. The attack can result in libxml2 crashes, causing denial of service conditions or other undefined behavior due to memory corruption. The impact includes the potential for attackers to fully deny access to resources in the impacted component, with either sustained or persistent loss of availability (Wiz Report, NVD).

Currently, there is no fixed version available for affected systems. Organizations running affected versions of libxml2 should monitor vendor advisories for patch releases and consider implementing network-level controls to restrict access to affected systems (Wiz Report).