Summary libxml2 is used by DataStage on Cloud Pak for Data as part of XML processing. Vulnerability Details CVEID:CVE-2025-27113 DESCRIPTION: libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c. CWE:CWE-476: NULL Pointer Dereference CVSS Source: NVD CVSS Base score: 7.5 CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID:CVE-2025-32414 DESCRIPTION: In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters. CWE:CWE-393: Return of Wrong Status Code CVSS Source: NVD CVSS Base score: 7.5 CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID:CVE-2025-32415 DESCRIPTION: In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. CWE:CWE-1284: Improper Validation of Specified Quantity in Input CVSS Source: NVD CVSS Base score: 7.5 CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions Affected Product(s)| Version(s) —|— DataStage on Cloud Pak for Data| 5.2.0 Remediation/Fixes IBM strongly recommends addressing the vulnerability…Read More
Security Bulletin: DataStage on Cloud Pak for Data has several vulnerabilities due to the libxml2 package (CVE-2025-27113, CVE-2025-32414, CVE-2025-32415)
