CVE-2025-11731

EUVD-2025-34140

14.10.2025, 06:15

A flaw was found in the exsltFuncResultComp() function of libxslt, which handles EXSLT <func:result> elements during stylesheet parsing. Due to improper type handling, the function may treat an XML document node as a regular XML element node, resulting in a type confusion. This can cause unexpected memory reads and potential crashes. While difficult to exploit, the flaw could lead to application instability or denial of service.

Type Confusion

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	3.1 LOW	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 26%

Ubuntu Releases

Ubuntu Product

Codename

libxslt

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
plucky	ignored
questing	needs-triage
resolute	Fixed 1.1.43-0.3 released
trusty	needs-triage
xenial	needs-triage

openSUSE / SLES Releases

openSUSE Product

Release

libxslt-devel

suse enterprise desktop 15 SP6	1.1.34-150400.3.13.1 fixed
suse enterprise desktop 15 SP7	1.1.34-150400.3.13.1 fixed
suse enterprise sap 15 SP4	1.1.34-150400.3.13.1 fixed
suse enterprise sap 15 SP5	1.1.34-150400.3.13.1 fixed
suse enterprise sap 15 SP6	1.1.34-150400.3.13.1 fixed
suse enterprise sap 15 SP7	1.1.34-150400.3.13.1 fixed
suse enterprise server 12 SP5	1.1.28-17.21.1 fixed
suse enterprise server 15 SP2	1.1.32-150000.3.28.1 fixed
suse enterprise server 15 SP3	1.1.32-150000.3.28.1 fixed
suse enterprise server 15 SP4	1.1.34-150400.3.13.1 fixed
suse enterprise server 15 SP5	1.1.34-150400.3.13.1 fixed
suse enterprise server 15 SP6	1.1.34-150400.3.13.1 fixed
suse enterprise server 15 SP7	1.1.34-150400.3.13.1 fixed

libxslt-tools

suse enterprise desktop 15 SP6	1.1.34-150400.3.13.1 fixed
suse enterprise desktop 15 SP7	1.1.34-150400.3.13.1 fixed
suse enterprise sap 15 SP4	1.1.34-150400.3.13.1 fixed
suse enterprise sap 15 SP5	1.1.34-150400.3.13.1 fixed
suse enterprise sap 15 SP6	1.1.34-150400.3.13.1 fixed
suse enterprise sap 15 SP7	1.1.34-150400.3.13.1 fixed
suse enterprise server 12 SP3	1.1.28-17.21.1 fixed
suse enterprise server 12 SP5	1.1.28-17.21.1 fixed
suse enterprise server 15 SP2	1.1.32-150000.3.28.1 fixed
suse enterprise server 15 SP3	1.1.32-150000.3.28.1 fixed
suse enterprise server 15 SP4	1.1.34-150400.3.13.1 fixed
suse enterprise server 15 SP5	1.1.34-150400.3.13.1 fixed
suse enterprise server 15 SP6	1.1.34-150400.3.13.1 fixed
suse enterprise server 15 SP7	1.1.34-150400.3.13.1 fixed

libxslt1

suse enterprise desktop 15 SP6	1.1.34-150400.3.13.1 fixed
suse enterprise desktop 15 SP7	1.1.34-150400.3.13.1 fixed
suse enterprise sap 15 SP4	1.1.34-150400.3.13.1 fixed
suse enterprise sap 15 SP5	1.1.34-150400.3.13.1 fixed
suse enterprise sap 15 SP6	1.1.34-150400.3.13.1 fixed
suse enterprise sap 15 SP7	1.1.34-150400.3.13.1 fixed
suse enterprise server 12 SP3	1.1.28-17.21.1 fixed
suse enterprise server 12 SP5	1.1.28-17.21.1 fixed
suse enterprise server 15 SP2	1.1.32-150000.3.28.1 fixed
suse enterprise server 15 SP3	1.1.32-150000.3.28.1 fixed
suse enterprise server 15 SP4	1.1.34-150400.3.13.1 fixed
suse enterprise server 15 SP5	1.1.34-150400.3.13.1 fixed
suse enterprise server 15 SP6	1.1.34-150400.3.13.1 fixed
suse enterprise server 15 SP7	1.1.34-150400.3.13.1 fixed

libxslt1-32bit

suse enterprise server 12 SP3	1.1.28-17.21.1 fixed
suse enterprise server 12 SP5	1.1.28-17.21.1 fixed

Common Weakness Enumeration

CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

References

https://access.redhat.com/errata/RHSA-2026:11015

https://access.redhat.com/security/cve/CVE-2025-11731

https://bugzilla.redhat.com/show_bug.cgi?id=2403688

https://gitlab.gnome.org/GNOME/libxslt/-/issues/151

https://gitlab.gnome.org/GNOME/libxslt/-/merge_requests/78