Google Project Zero is a well-known security team that is tasked with finding vulnerabilities in software products developed by various vendors, including Google itself. Its process of disclosure involves reporting a security bug privately to the vendor, giving them 90 days to release a patch before all details are exposed publicly. In some conditions, an extra 30-day grace period is also awarded.

The idea behind this approach is that companies will work faster to resolve security issues under threat of an impending public disclosure. We have covered Project Zero's work extensively in the past, as it has reported vulnerabilities across Windows, ChromeOS, and Linux CentOS, among many other products. Now, Google Project Zero has revealed a security issue in a popular GNOME library.

libxslt is based on the libxml2 library, and was built as an open-source software (OSS) under the GNOME project. It is used to transform XML documents using Extensible Stylesheet Language Transformations (XSLT). Example use - cases include transforming XML documents into HTML in web browsers, rendering XML content in office applications, and more. Many applications utilize this library including implementations in PHP and Python on the web, Doxygen, Gnumeric, and GNOME Help System, among others.

Google Project Zero discovered a security flaw in libxslt a few months ago and privately reported it to GNOME on May 6, 2025, awarding it the standard 90 days to fix the problem. You can find technical details regarding the security hole in great detail here, but in essence, there is a use-after-free (UAF) vulnerability in libxslt because of the Result Value Tree (RVT) not getting freed up properly in some cases. The potential dangers of this vulnerability include acting as an attack surface for bad actors who may use it to execute malicious code and software crashes due to segmentation faults.

Google Project Zero has awarded this bug a priority and severity of P2 and S2, respectively, which means that this is a medium-severity flaw which can have a significant impact on associated applications.

Interestingly, GNOME has also been tracking this bug since Project Zero's report and has made this particular item publicly visible too following the security team's deadline exceeding. A quick read of the thread indicates that while some people are working on a fix, it is not complete yet due to the patch breaking some other components in the process. The community has also noted that since libxslt has no active maintainer (the original creator Daniel Veillard apparently hasn't responded in months), it's unlikely that an upstream patch will ever be released, and it's very possible that downstream systems will have to "fend for themselves".

As such, the overall situation is a bit tricky. Google has disclosed the bug following the expiration of its 90-day deadline, the GNOME project has no complaint against this but is kind of helpless due to the lack of an active libxslt maintainer who can own the issue, and the bug itself is now public with proof-of-concept (PoC) code, which threat actors can potentially leverage for exploits.