| Package | libxml2 |
|---|---|
| Version | 2.9.4+dfsg1-2.2+deb9u16 (stretch), 2.9.4+dfsg1-7+deb10u14 (buster) |
| Related CVEs | CVE-2025-8732 CVE-2026-0989 CVE-2026-0990 CVE-2026-0992 CVE-2026-1757 |
Several security issues were found in libxml2, the GNOME XML library, which could lead to Denial of Service.
- CVE-2025-8732
-
Catalog parsing functions were missing cycle detection. When a catalog file contains a CATALOG directive pointing to itself,
xmlExpandCatalog()andxmlParseSGMLCatalog()recursively call each other without bounds until stack overflow. - CVE-2026-0989
-
The RelaxNG parser does not limit the recursion depth when resolving
<include>directives, which may lead to stack overflow on malicious RelaxNG schema file. - CVE-2026-0990
-
Nick Wellnhofer discovered that
xmlCatalogXMLResolveURI()will recurse infinitely if a catalog has a URI delegate referencing itself, eventually resulting in a call stack overflow. - CVE-2026-0992
-
Nick Wellnhofer discovered that processing a chain of XML catalogs linked with
<nextCatalog>and having the<nextCatalog>element takes exponential time, leading to denial of service via resource exhaustion. - CVE-2026-1757
-
The command parsing logic of the xmllint(1) interactive shell was found to leak memory.
In addition, a few other security issues were found for which no CVE ID was assigned yet:
- Memory leak of prefix in
xmlTextWriterStartElementNS(). - Potential use-after-free issue in
xmlRelaxNGValidateValue(). - Memory leak in
xmlTextWriterStartAttributeNS(). - Additional memory leaks on error paths in schematron.
- Stack overflow from self-referencing SGML CATALOG entries.
For Debian 10 buster, these problems have been fixed in version 2.9.4+dfsg1-7+deb10u14.
For Debian 9 stretch, these problems have been fixed in version 2.9.4+dfsg1-2.2+deb9u16.
We recommend that you upgrade your libxml2 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.