JLSEC-2026-583 High 7.8

numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an...

JLSEC Published: Jun 8, 2026
Modified: Jun 8, 2026
Severity: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
Affected Packages: XSLT_jll < 1.1.43+0
Aliases / Upstream: CVE-2025-24855 GHSA-3cgj-v3m4-cgcq EUVD-2025-7659

numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.

References

https://github.com/advisories/GHSA-3cgj-v3m4-cgcq
https://gitlab.gnome.org/GNOME/libxslt/-/issues/128
https://lists.debian.org/debian-lts-announce/2025/03/msg00015.html
https://nvd.nist.gov/vuln/detail/CVE-2025-24855