CVE-2025-6021: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2025-6021) was discovered in libxml2's xmlBuildQName function on June 12, 2025. The flaw involves integer overflows in buffer size calculations that can lead to a stack-based buffer overflow in the libxml2 library. The vulnerability affects multiple Linux distributions and has been assigned a CVSS v3.1 base score of 7.5 (High) (NVD, Wiz).

The vulnerability stems from unsafe arithmetic operations in the xmlBuildQName function when concatenating XML name components. The issue occurs when the lengths of prefix and local name, originally of type size_t, are cast to int, resulting in incorrect calculations for large values. The vulnerability has a CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it is network-accessible with low attack complexity and requires no privileges or user interaction (NVD, Wiz).

When exploited, this vulnerability can result in memory corruption or a denial of service condition when processing crafted input. The impact primarily affects the availability of the system, with the potential for total loss of availability while the attack is ongoing or even after it has completed (Wiz).

As of the vulnerability disclosure, there is no fixed version available for some affected distributions, including Debian 11. The issue has been addressed in the upstream repository through commits on both the master branch (ad346c9a249c4b380bf73c460ad3e81135c5d781) and 2.14-branch (acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0) (Debian Tracker).