Severity: Medium
Affected versions:
- upstream versions - 2.9.11 to 2.11.0
Description:
libxml2 had a use after free in xmlParseInternalSubset due to improper
entity resolution handling. A remote attacker could possibly use this
issue to crash or possibly run arbitrary programs.
The latest upstream is already patched and this only applies to a set of
older versions. This likely also applies if upstream patch for
CVE-2021-3541 was cherry picked.
Credit:
Geoffrey Humphreys (reporter)
References:
https://bugs.launchpad.net/ubuntu/+source/libxml2/+bug/2141260
https://gitlab.gnome.org/GNOME/libxml2/-/work_items/1058
The linked launchpad issue has PoC and reproduction instructions if needed.
Timeline:
2026-02-09 : reported to Canonical's Ubuntu Security Team
2026-02-17 : reported to upstream
2026-06-08 : PoC and details send to distros list
2026-06-22 : public disclosure