CVE-2025-6496: 
Linux Debian vulnerability analysis and mitigation

A vulnerability (CVE-2025-6496) was discovered in HTACG tidy-html5 version 5.8.0, affecting the InsertNodeAsParent function in src/parser.c. The vulnerability was disclosed on April 8, 2025, and leads to a null pointer dereference condition that requires local access for exploitation (Wiz, NVD).

The vulnerability manifests as a null pointer dereference in the InsertNodeAsParent function located in src/parser.c at line 143. The issue was identified during fuzzing tests using the OSS-Fuzz framework with Address Sanitizer (ASAN) instrumentation. When triggered, the vulnerability causes a segmentation fault (SEGV) on an unknown address 0x000000000018, specifically during a READ memory access operation. The vulnerability has been assigned a CVSS v4.0 score of 4.8 (Medium) and CVSS v3.1 score of 3.3 (Low) (GitHub Issue, VulDB).

The vulnerability can lead to a program crash, resulting in a denial of service condition. Since local access is required and the vulnerability only affects availability without compromising confidentiality or integrity, the overall severity is considered medium (VulDB).

Currently, there is no fixed version available for this vulnerability. The issue affects tidy-html5 version 5.8.0 and remains unfixed in the latest releases. Users are advised to monitor for updates from the vendor (Debian Tracker).