[SECURITY] [DLA 4622-1] libxml2 security update

Mon, 08 Jun 2026 02:11:15 -0700 

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4622-1                [email protected]
https://www.debian.org/lts/security/                       Guilhem Moulin
June 08, 2026                                 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : libxml2
Version        : 2.9.10+dfsg-6.7+deb11u10
CVE ID         : CVE-2025-8732 CVE-2026-0989 CVE-2026-0990 CVE-2026-0992
                 CVE-2026-1757
Debian Bug     : 1125691 1125695 1125696

Multiple security issues were found in libxml2, the GNOME XML library,
which could lead to Denial of Service.

CVE-2025-8732

    Catalog parsing functions were missing cycle detection.  When a
    catalog file contains a CATALOG directive pointing to itself,
    `xmlExpandCatalog()` and `xmlParseSGMLCatalog()` recursively call
    each other without bounds until stack overflow.

CVE-2026-0989

    The RelaxNG parser does not limit the recursion depth when resolving
    `<include>` directives, which may lead to stack overflow on
    malicious RelaxNG schema file.

CVE-2026-0990

    Nick Wellnhofer discovered that `xmlCatalogXMLResolveURI()` will
    recurse infinitely if a catalog has a URI delegate referencing
    itself, eventually resulting in a call stack overflow.

CVE-2026-0992

    Nick Wellnhofer discovered that processing a chain of XML catalogs
    linked with `<nextCatalog>` and having the `<nextCatalog>` element
    takes exponential time, leading to denial of service via resource
    exhaustion.

CVE-2026-1757

    The command parsing logic of the xmllint(1) interactive shell was
    found to leak memory.

In addition, a few other security issues were found for which no CVE ID
was assigned yet:

   * Memory leak of prefix in `xmlTextWriterStartElementNS()`.

   * Potential use-after-free issue in `xmlRelaxNGValidateValue()`.

   * Memory leak in `xmlTextWriterStartAttributeNS()`.

   * Additional memory leaks on error paths in schematron.

   * Stack overflow from self-referencing SGML CATALOG entries.

For Debian 11 bullseye, these problems have been fixed in version
2.9.10+dfsg-6.7+deb11u10.

We recommend that you upgrade your libxml2 packages.

For the detailed security status of libxml2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libxml2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply via email to