Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 531
Alerts This Week
Warning Icon 1 531

Debian libxml2 Critical Denial Service Threat DLA-4622-1 CVE-2025-8732

debian lts
Calendar Grey June 8, 2026
Scroller Debian Lts Esm H88
Critical updates for libxml2 to mitigate Denial of Service risks, addressing multiple security issues for Debian LTS users.
Multiple security issues were found in libxml2, the GNOME XML library, which could lead to Denial of Service

Summary

CVE-2025-8732

Catalog parsing functions were missing cycle detection. When a
catalog file contains a CATALOG directive pointing to itself,
`xmlExpandCatalog()` and `xmlParseSGMLCatalog()` recursively call
each other without bounds until stack overflow.

CVE-2026-0989

The RelaxNG parser does not limit the recursion depth when resolving
`` directives, which may lead to stack overflow on
malicious RelaxNG schema file.

CVE-2026-0990

Nick Wellnhofer discovered that `xmlCatalogXMLResolveURI()` will
recurse infinitely if a catalog has a URI delegate referencing
itself, eventually resulting in a call stack overflow.

CVE-2026-0992

Nick Wellnhofer discovered that processing a chain of XML catalogs
linked with `` and having the `` element
takes exponential time, leading to denial of service via resource
exhaustion.

CVE-2026-1757

The command parsing logic of the xmllint(1) interactive shell was
found to leak memory.

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Package: libxml2
Version: 2.9.10+dfsg-6.7+deb11u10
CVE ID: CVE-2025-8732 CVE-2026-0989 CVE-2026-0990 CVE-2026-0992
Debian Bug: 1125691 1125695 1125696

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.