Security update for libxslt SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025-20050-1 Final 1 1 2025-11-19T09:40:24Z current 2025-11-19T09:40:24Z 2025-11-19T09:40:24Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libxslt This update for libxslt fixes the following issues: Changes in libxslt: - CVE-2025-11731: Fixed type confusion in exsltFuncResultCompfunction leading to denial of service (bsc#1251979) - CVE-2025-10911: Fixed use-after-free with key data stored cross-RVT (bsc#1250553) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-16.0-24 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1250553 SUSE Bug 1250553 https://bugzilla.suse.com/1251979 SUSE Bug 1251979 https://www.suse.com/security/cve/CVE-2025-10911/ SUSE CVE CVE-2025-10911 page https://www.suse.com/security/cve/CVE-2025-11731/ SUSE CVE CVE-2025-11731 page openSUSE Leap 16.0 libexslt0-1.1.43-160000.3.1 libxslt-devel-1.1.43-160000.3.1 libxslt-tools-1.1.43-160000.3.1 libxslt1-1.1.43-160000.3.1 libexslt0-1.1.43-160000.3.1 as a component of openSUSE Leap 16.0 libxslt-devel-1.1.43-160000.3.1 as a component of openSUSE Leap 16.0 libxslt-tools-1.1.43-160000.3.1 as a component of openSUSE Leap 16.0 libxslt1-1.1.43-160000.3.1 as a component of openSUSE Leap 16.0 A use-after-free vulnerability was found in libxslt while parsing xsl nodes that may lead to the dereference of expired pointers and application crash. CVE-2025-10911 openSUSE Leap 16.0:libexslt0-1.1.43-160000.3.1 openSUSE Leap 16.0:libxslt-devel-1.1.43-160000.3.1 openSUSE Leap 16.0:libxslt-tools-1.1.43-160000.3.1 openSUSE Leap 16.0:libxslt1-1.1.43-160000.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-10911.html CVE-2025-10911 https://bugzilla.suse.com/1250553 SUSE Bug 1250553 A flaw was found in the exsltFuncResultComp() function of libxslt, which handles EXSLT <func:result> elements during stylesheet parsing. Due to improper type handling, the function may treat an XML document node as a regular XML element node, resulting in a type confusion. This can cause unexpected memory reads and potential crashes. While difficult to exploit, the flaw could lead to application instability or denial of service. CVE-2025-11731 openSUSE Leap 16.0:libexslt0-1.1.43-160000.3.1 openSUSE Leap 16.0:libxslt-devel-1.1.43-160000.3.1 openSUSE Leap 16.0:libxslt-tools-1.1.43-160000.3.1 openSUSE Leap 16.0:libxslt1-1.1.43-160000.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11731.html CVE-2025-11731 https://bugzilla.suse.com/1251979 SUSE Bug 1251979