Debian libxml2 Important Denial of Service Issues DLA-4622-1
debian lts
June 8, 2026
Multiple security issues were found in libxml2, the GNOME XML library, which could lead to Denial of Service
Topics Covered
Summary
CVE-2025-8732
Catalog parsing functions were missing cycle detection. When a
catalog file contains a CATALOG directive pointing to itself,
`xmlExpandCatalog()` and `xmlParseSGMLCatalog()` recursively call
each other without bounds until stack overflow.
CVE-2026-0989
The RelaxNG parser does not limit the recursion depth when resolving
`
malicious RelaxNG schema file.
CVE-2026-0990
Nick Wellnhofer discovered that `xmlCatalogXMLResolveURI()` will
recurse infinitely if a catalog has a URI delegate referencing
itself, eventually resulting in a call stack overflow.
CVE-2026-0992
Nick Wellnhofer discovered that processing a chain of XML catalogs
linked with `
takes exponential time, leading to denial of service via resource
exhaustion.
CVE-2026-1757
The command parsing logic of the xmllint(1) interactive shell was
found to leak memory.
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Package: libxml2
Version: 2.9.10+dfsg-6.7+deb11u10
CVE ID: CVE-2025-8732 CVE-2026-0989 CVE-2026-0990 CVE-2026-0992
Debian Bug: 1125691 1125695 1125696
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!