CVE-2025-6170 - Stack-based Buffer Overflow

Severity

25%

Complexity

10%

Confidentiality

23%

A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections.

CVSS 3.1 Base Score 2.5. CVSS Attack Vector: local. CVSS Attack Complexity: high. CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).

Demo Examples

Stack-based Buffer Overflow

CWE-121

While buffer overflow examples can be rather complex, it is possible to have very simple, yet still exploitable, stack-based buffer overflows:


               
}
strcpy(buf, argv[1]);

The buffer size is fixed, but there is no guarantee the string in argv[1] will not exceed this size and cause an overflow.

Stack-based Buffer Overflow

CWE-121

This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.


               
}
strcpy(hostname, hp->h_name);/*routine that ensures user_supplied_addr is in the right format for conversion */

This function allocates a buffer of 64 bytes to store the hostname, however there is no guarantee that the hostname will not be larger than 64 bytes. If an attacker specifies an address which resolves to a very large hostname, then we may overwrite sensitive data or even relinquish control flow to the attacker.

Note that this example also contains an unchecked return value (CWE-252) that can lead to a NULL pointer dereference (CWE-476).

Overview

First reported 2 months ago

2025-06-16 16:15:00

Last updated 4 weeks ago

2025-08-12 13:04:00

Affected Software

Red Hat Enterprise Linux (RHEL) 7.0 (7)

7.0

Red Hat Enterprise Linux 6.0

6.0

Red Hat JBoss Core Services

Red Hat Enterprise Linux 8.0

8.0

Red Hat Openshift Container Platform 4.0

4.0

XMLSoft Libxml2

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.