diff --git a/libxml2-2.12.5-CVE-2025-49794.patch b/libxml2-2.12.5-CVE-2025-49794.patch
index 284ecd0..68cae15 100644
--- a/libxml2-2.12.5-CVE-2025-49794.patch
+++ b/libxml2-2.12.5-CVE-2025-49794.patch
@@ -1,43 +1,182 @@
-From 529f65b0782efbe1137b2504aa1f06504a97dd0a Mon Sep 17 00:00:00 2001
-From: Michael Mann <mmann78@netscape.net>
-Date: Sat, 21 Jun 2025 12:51:24 -0400
-Subject: [PATCH] Schematron: Fix use after free
+From 71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 4 Jul 2025 14:28:26 +0200
+Subject: [PATCH] schematron: Fix memory safety issues in
+ xmlSchematronReportOutput
 
-(CVE-2025-49794)
+Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796)
+in xmlSchematronReportOutput.
 
-Fixes #931
+Fixes #931.
+Fixes #933.
 ---
- schematron.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
+ result/schematron/cve-2025-49794_0.err |  2 ++
+ result/schematron/cve-2025-49796_0.err |  2 ++
+ schematron.c                           | 49 ++++++++++++++------------
+ test/schematron/cve-2025-49794.sct     | 10 ++++++
+ test/schematron/cve-2025-49794_0.xml   |  6 ++++
+ test/schematron/cve-2025-49796.sct     |  9 +++++
+ test/schematron/cve-2025-49796_0.xml   |  3 ++
+ 7 files changed, 58 insertions(+), 23 deletions(-)
+ create mode 100644 result/schematron/cve-2025-49794_0.err
+ create mode 100644 result/schematron/cve-2025-49796_0.err
+ create mode 100644 test/schematron/cve-2025-49794.sct
+ create mode 100644 test/schematron/cve-2025-49794_0.xml
+ create mode 100644 test/schematron/cve-2025-49796.sct
+ create mode 100644 test/schematron/cve-2025-49796_0.xml
 
+diff --git a/result/schematron/cve-2025-49794_0.err b/result/schematron/cve-2025-49794_0.err
+new file mode 100644
+index 00000000..57752310
+--- /dev/null
++++ b/result/schematron/cve-2025-49794_0.err
+@@ -0,0 +1,2 @@
++./test/schematron/cve-2025-49794_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:  
++./test/schematron/cve-2025-49794_0.xml fails to validate
+diff --git a/result/schematron/cve-2025-49796_0.err b/result/schematron/cve-2025-49796_0.err
+new file mode 100644
+index 00000000..bf875ee0
+--- /dev/null
++++ b/result/schematron/cve-2025-49796_0.err
+@@ -0,0 +1,2 @@
++./test/schematron/cve-2025-49796_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:  
++./test/schematron/cve-2025-49796_0.xml fails to validate
 diff --git a/schematron.c b/schematron.c
-index 5c1a27bf1..e2ec06d2c 100644
+index 85b46282..0fd37461 100644
 --- a/schematron.c
 +++ b/schematron.c
-@@ -1380,8 +1380,11 @@ xmlSchematronGetNode(xmlSchematronValidCtxtPtr ctxt,
+@@ -1364,27 +1364,15 @@ exit:
+  *                                                                      *
+  ************************************************************************/
+ 
+-static xmlNodePtr
++static xmlXPathObjectPtr
+ xmlSchematronGetNode(xmlSchematronValidCtxtPtr ctxt,
+                      xmlNodePtr cur, const xmlChar *xpath) {
+-    xmlNodePtr node = NULL;
+-    xmlXPathObjectPtr ret;
+-
+     if ((ctxt == NULL) || (cur == NULL) || (xpath == NULL))
          return(NULL);
  
-     if ((ret->type == XPATH_NODESET) &&
+     ctxt->xctxt->doc = cur->doc;
+     ctxt->xctxt->node = cur;
+-    ret = xmlXPathEval(xpath, ctxt->xctxt);
+-    if (ret == NULL)
+-        return(NULL);
+-
+-    if ((ret->type == XPATH_NODESET) &&
 -        (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0))
-+        (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0)) {
-         node = ret->nodesetval->nodeTab[0];
-+        /* Clear the nodeTab so the node data isn't freed below */
-+        ret->nodesetval->nodeTab[0] = NULL;
-+    }
+-        node = ret->nodesetval->nodeTab[0];
+-
+-    xmlXPathFreeObject(ret);
+-    return(node);
++    return(xmlXPathEval(xpath, ctxt->xctxt));
+ }
  
-     xmlXPathFreeObject(ret);
-     return(node);
-@@ -1446,6 +1449,10 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
-                 ret = xmlStrcat(ret, BAD_CAST ":");
-                 ret = xmlStrcat(ret, node->name);
+ /**
+@@ -1427,25 +1415,40 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
+             (child->type == XML_CDATA_SECTION_NODE))
+             ret = xmlStrcat(ret, child->content);
+         else if (IS_SCHEMATRON(child, "name")) {
++            xmlXPathObject *obj = NULL;
+             xmlChar *path;
+ 
+             path = xmlGetNoNsProp(child, BAD_CAST "path");
+ 
+             node = cur;
+             if (path != NULL) {
+-                node = xmlSchematronGetNode(ctxt, cur, path);
+-                if (node == NULL)
+-                    node = cur;
++                obj = xmlSchematronGetNode(ctxt, cur, path);
++                if ((obj != NULL) &&
++                    (obj->type == XPATH_NODESET) &&
++                    (obj->nodesetval != NULL) &&
++                    (obj->nodesetval->nodeNr > 0))
++                    node = obj->nodesetval->nodeTab[0];
+                 xmlFree(path);
+             }
+ 
+-            if ((node->ns == NULL) || (node->ns->prefix == NULL))
+-                ret = xmlStrcat(ret, node->name);
+-            else {
+-                ret = xmlStrcat(ret, node->ns->prefix);
+-                ret = xmlStrcat(ret, BAD_CAST ":");
+-                ret = xmlStrcat(ret, node->name);
++            switch (node->type) {
++                case XML_ELEMENT_NODE:
++                case XML_ATTRIBUTE_NODE:
++                    if ((node->ns == NULL) || (node->ns->prefix == NULL))
++                        ret = xmlStrcat(ret, node->name);
++                    else {
++                        ret = xmlStrcat(ret, node->ns->prefix);
++                        ret = xmlStrcat(ret, BAD_CAST ":");
++                        ret = xmlStrcat(ret, node->name);
++                    }
++                    break;
++
++                /* TODO: handle other node types */
++                default:
++                    break;
              }
 +
-+            if ((path != NULL) && (node != cur))
-+                xmlXPathNodeSetFreeNs((xmlNsPtr)node);
-+                
++            xmlXPathFreeObject(obj);
          } else if (IS_SCHEMATRON(child, "value-of")) {
              xmlChar *select;
              xmlXPathObjectPtr eval;
+diff --git a/test/schematron/cve-2025-49794.sct b/test/schematron/cve-2025-49794.sct
+new file mode 100644
+index 00000000..7fc9ee3d
+--- /dev/null
++++ b/test/schematron/cve-2025-49794.sct
+@@ -0,0 +1,10 @@
++<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
++    <sch:pattern id="">
++        <sch:rule context="boo0">
++            <sch:report test="not(0)">
++                <sch:name path="&#9;e|namespace::*|e"/>
++            </sch:report>
++            <sch:report test="0"></sch:report>
++        </sch:rule>
++    </sch:pattern>
++</sch:schema>
+diff --git a/test/schematron/cve-2025-49794_0.xml b/test/schematron/cve-2025-49794_0.xml
+new file mode 100644
+index 00000000..debc64ba
+--- /dev/null
++++ b/test/schematron/cve-2025-49794_0.xml
+@@ -0,0 +1,6 @@
++<librar0>
++    <boo0 t="">
++        <author></author>
++    </boo0>
++    <ins></ins>
++</librar0>
+diff --git a/test/schematron/cve-2025-49796.sct b/test/schematron/cve-2025-49796.sct
+new file mode 100644
+index 00000000..e9702d75
+--- /dev/null
++++ b/test/schematron/cve-2025-49796.sct
+@@ -0,0 +1,9 @@
++<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
++    <sch:pattern id="">
++        <sch:rule context="boo0">
++            <sch:report test="not(0)">
++                <sch:name path="/"/>
++            </sch:report>
++        </sch:rule>
++    </sch:pattern>
++</sch:schema>
+diff --git a/test/schematron/cve-2025-49796_0.xml b/test/schematron/cve-2025-49796_0.xml
+new file mode 100644
+index 00000000..be33c4ec
+--- /dev/null
++++ b/test/schematron/cve-2025-49796_0.xml
+@@ -0,0 +1,3 @@
++<librar0>
++    <boo0/>
++</librar0>
 -- 
-GitLab
+2.49.0
 
diff --git a/libxml2-2.12.5-CVE-2025-49795.patch b/libxml2-2.12.5-CVE-2025-49795.patch
index c213938..0f43596 100644
--- a/libxml2-2.12.5-CVE-2025-49795.patch
+++ b/libxml2-2.12.5-CVE-2025-49795.patch
@@ -1,4 +1,4 @@
-From ea338a6ddc9b9e2699d4d15990832549156a92c0 Mon Sep 17 00:00:00 2001
+From 1d73ed887fb7d076d6113fefc6cd53742d23bc4b Mon Sep 17 00:00:00 2001
 From: Michael Mann <mmann78@netscape.net>
 Date: Sat, 21 Jun 2025 12:11:30 -0400
 Subject: [PATCH] Schematron: Fix null pointer dereference leading to DoS
@@ -7,22 +7,64 @@ Subject: [PATCH] Schematron: Fix null pointer dereference leading to DoS
 
 Fixes #932
 ---
- schematron.c | 2 ++
- 1 file changed, 2 insertions(+)
+ result/schematron/zvon16_0.err | 3 +++
+ schematron.c                   | 5 +++++
+ test/schematron/zvon16.sct     | 7 +++++++
+ test/schematron/zvon16_0.xml   | 5 +++++
+ 4 files changed, 20 insertions(+)
+ create mode 100644 result/schematron/zvon16_0.err
+ create mode 100644 test/schematron/zvon16.sct
+ create mode 100644 test/schematron/zvon16_0.xml
 
+diff --git a/result/schematron/zvon16_0.err b/result/schematron/zvon16_0.err
+new file mode 100644
+index 00000000..452bcc13
+--- /dev/null
++++ b/result/schematron/zvon16_0.err
+@@ -0,0 +1,3 @@
++XPath error : Unregistered function: falae
++./test/schematron/zvon16_0.xml:2: element book: schematron error : /library/book line 2: Book 
++./test/schematron/zvon16_0.xml fails to validate
 diff --git a/schematron.c b/schematron.c
-index 5c1a27bf1..d33755e6d 100644
+index a8259201..86c63e64 100644
 --- a/schematron.c
 +++ b/schematron.c
-@@ -1453,6 +1453,8 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
+@@ -1481,6 +1481,11 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
              select = xmlGetNoNsProp(child, BAD_CAST "select");
              comp = xmlXPathCtxtCompile(ctxt->xctxt, select);
              eval = xmlXPathCompiledEval(comp, ctxt->xctxt);
-+            if (eval == NULL)
++            if (eval == NULL) {
++                xmlXPathFreeCompExpr(comp);
++                xmlFree(select);
 +                return ret;
++            }
  
              switch (eval->type) {
              case XPATH_NODESET: {
+diff --git a/test/schematron/zvon16.sct b/test/schematron/zvon16.sct
+new file mode 100644
+index 00000000..f03848aa
+--- /dev/null
++++ b/test/schematron/zvon16.sct
+@@ -0,0 +1,7 @@
++<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
++	<sch:pattern id="TestPattern">
++		<sch:rule context="book">
++			<sch:report test="not(@available)">Book <sch:value-of select="falae()"/> test</sch:report>
++		</sch:rule>
++	</sch:pattern>
++</sch:schema>
+diff --git a/test/schematron/zvon16_0.xml b/test/schematron/zvon16_0.xml
+new file mode 100644
+index 00000000..551e2d65
+--- /dev/null
++++ b/test/schematron/zvon16_0.xml
+@@ -0,0 +1,5 @@
++<library>
++	<book title="Test Book" id="bk101">
++		<author>Test Author</author>
++	</book>
++</library>
 -- 
-GitLab
+2.49.0
 
diff --git a/libxml2-2.12.5-CVE-2025-49796.patch b/libxml2-2.12.5-CVE-2025-49796.patch
deleted file mode 100644
index 2b12616..0000000
--- a/libxml2-2.12.5-CVE-2025-49796.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 12ef9e5bb7b4bf4f901a2a34b6609a908b1544af Mon Sep 17 00:00:00 2001
-From: David King <dking@redhat.com>
-Date: Wed, 2 Jul 2025 13:56:53 +0100
-Subject: [PATCH] Fix CVE-2025-49796
-
-Fix for type confusion in CVE-2025-49796, for the specific case
-mentioned in the vulnerability report. A more general fix should be
-applied in the future, after upstream review.
-
-https://gitlab.gnome.org/GNOME/libxml2/-/issues/933
----
- schematron.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/schematron.c b/schematron.c
-index ba7fa56c..47f97c04 100644
---- a/schematron.c
-+++ b/schematron.c
-@@ -26,6 +26,7 @@
- #ifdef LIBXML_SCHEMATRON_ENABLED
- 
- #include <stdlib.h>
-+#include <stdint.h>
- #include <string.h>
- #include <libxml/parser.h>
- #include <libxml/tree.h>
-@@ -1442,7 +1443,9 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
-                 xmlFree(path);
-             }
- 
--            if ((node->ns == NULL) || (node->ns->prefix == NULL))
-+            if ((node == NULL) || (node->ns == NULL)
-+                               || ((uintptr_t)node->ns == (uintptr_t)-1) // Check for 0xffffffffffffffff
-+                               || (node->ns->prefix == NULL))
-                 ret = xmlStrcat(ret, node->name);
-             else {
-                 ret = xmlStrcat(ret, node->ns->prefix);
--- 
-2.49.0
-
diff --git a/libxml2.spec b/libxml2.spec
index c014dbd..85a5f7d 100644
--- a/libxml2.spec
+++ b/libxml2.spec
@@ -1,6 +1,6 @@
 Name:           libxml2
 Version:        2.12.5
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        Library providing XML and HTML support
 
 # list.c, dict.c and few others use ISC-Veillard
@@ -27,11 +27,10 @@ Patch4:         libxml2-2.12.5-CVE-2025-24928.patch
 # https://issues.redhat.com/browse/RHEL-96495
 Patch5:         libxml2-2.12.5-CVE-2025-6021.patch
 # https://issues.redhat.com/browse/RHEL-96995
+# https://issues.redhat.com/browse/RHEL-96421
 Patch6:         libxml2-2.12.5-CVE-2025-49794.patch
 # https://issues.redhat.com/browse/RHEL-96408
 Patch7:         libxml2-2.12.5-CVE-2025-49795.patch
-# https://issues.redhat.com/browse/RHEL-96421
-Patch8:         libxml2-2.12.5-CVE-2025-49796.patch
 
 BuildRequires:  cmake-rpm-macros
 BuildRequires:  gcc
@@ -172,6 +171,9 @@ popd
 %{python3_sitelib}/__pycache__/drv_libxml2.*
 
 %changelog
+* Mon Jul 07 2025 David King <dking@redhat.com> - 2.12.5-7
+- Refresh patches from upstream (RHEL-96395, RHEL-96408 and RHEL-96421)
+
 * Mon Jun 16 2025 David King <dking@redhat.com> - 2.12.5-6
 - Fix CVE-2025-6021 (RHEL-96495)
 - Fix CVE-2025-49794 (RHEL-96395)