When Native Dependencies Betray: An Integer Overflow in libxml2 with Cross-Language Impact on PHP and Swift
Author: Ahmed Lekssays Executive Summary During security research at the Qatar Computing Research Institute, we discovered a critical integer overflow vulnerability in libxml2’s xmlBuildQName() function (CVE-2025-6021) that cascaded into multiple high-profile projects including PHP’s SOAP extension (CVE-2025-6491) and Swift’s FoundationXML library. This research demonstrates how a single flaw in a widely-used native library can create […]
From VEX to Critical Bug
A subtle normalization mismatch inside an SBOM tool can break dependency relationships even when all packages are detected correctly. When edges between components silently disappear, downstream processes like vulnerability scanning and VEX reasoning become unreliable. This post walks through how such an issue surfaced in Syft, why it happened, and why small normalization inconsistencies pose […]