Debian Libxml2 vulnerabilities

CVE-2026-0990 [MEDIUM] CVE-2026-0990: libxml2 - A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion... A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call

CVE-2026-1757 [MEDIUM] CVE-2026-1757: libxml2 - A flaw was identified in the interactive shell of the xmllint utility, part of t... A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continu

CVE-2026-0992 [LOW] CVE-2026-0992: libxml2 - A flaw was found in the libxml2 library. This uncontrolled resource consumption ... A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and

CVE-2026-0989 [LOW] CVE-2026-0989: libxml2 - A flaw was identified in the RelaxNG parser of libxml2 related to how external s... A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-se

CVE-2025-49796 [CRITICAL] CVE-2025-49796: libxml2 - A vulnerability was found in libxml2. Processing certain sch:name elements from ... A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory. Scope: loca

CVE-2025-49794 [CRITICAL] CVE-2025-49794: libxml2 - A use-after-free vulnerability was found in libxml2. This issue occurs when pars... A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors. Scope: l

CVE-2025-24928 [HIGH] CVE-2025-24928: libxml2 - libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflo... libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047. Scope: local bookworm: resolved (fixed in 2.9.14+dfsg-1.3~deb12u2) bullseye: resolved (fixed in 2.9.10+dfsg-6.7+deb11u6) for

CVE-2025-6021 [HIGH] CVE-2025-6021: libxml2 - A flaw was found in libxml2's xmlBuildQName function, where integer overflows in... A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input. Scope: local bookworm: resolved (fixed in 2.9.14+dfsg-1.3~deb12u3) bullseye: resolved (fixed in 2.9.10+dfsg-6.7+deb11u8) for

CVE-2025-32414 [MEDIUM] CVE-2025-32414: libxml2 - In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access c... In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters. Scope: local bookworm: resolved (fixed in 2.9.14+dfsg-1.3~deb12u2) bullseye: resolved (fixe

CVE-2025-9714 [MEDIUM] CVE-2025-9714: libxml2 - Uncontrolled recursion in XPath evaluation in libxml2 up to and including versio... Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. XPath processing functions `xmlXPathRunEval`, `xmlXPathCtxtCompile`, and `xmlXPathEvalExpr` were resetting recursion depth to zero before making potentially recursive calls. When such functions were calle

CVE-2025-8732 [MEDIUM] CVE-2025-8732: libxml2 - A vulnerability was found in libxml2 up to 2.14.5. It has been declared as probl... A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is

CVE-2025-6170 [LOW] CVE-2025-6170: libxml2 - A flaw was found in the interactive shell of the xmllint command-line tool, used... A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections. Scope: local bookworm: resolved (fixed

CVE-2025-26434 [MEDIUM] CVE-2025-26434: libxml2 - In libxml2, there is a possible out of bounds read due to a buffer overflow. Thi... In libxml2, there is a possible out of bounds read due to a buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2025-27113 [LOW] CVE-2025-27113: libxml2 - libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference i... libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c. Scope: local bookworm: resolved (fixed in 2.9.14+dfsg-1.3~deb12u2) bullseye: resolved (fixed in 2.9.10+dfsg-6.7+deb11u6) forky: resolved (fixed in 2.12.7+dfsg+really2.9.14-0.4) sid: resolved (fixed in 2.12.7+dfsg+really2.9.14-0.4) trixie: resolved (fixed in 2.1

CVE-2025-32415 [LOW] CVE-2025-32415: libxml2 - In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in... In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. Scope: local bookworm: resolved (fixed in 2.9.14+dfsg-1.3~deb12u2) bullseye: resolved

CVE-2025-49795 [HIGH] CVE-2025-49795: libxml2 - A NULL pointer dereference vulnerability was found in libxml2 when processing XP... A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2024-56171 [HIGH] CVE-2024-56171: libxml2 - libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchem... libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. Scope: local bookworm: resolved (fixed in 2.9.14+dfsg-1.3~deb12u2)

CVE-2024-25062 [HIGH] CVE-2024-25062: libxml2 - An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When ... An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. Scope: local bookworm: resolved (fixed in 2.9.14+dfsg-1.3~deb12u2) bullseye: resolved (fixed in 2.9.10+dfsg-6.7+deb11u6

CVE-2024-34459 [HIGH] CVE-2024-34459: libxml2 - An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x befor... An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c. Scope: local bookworm: resolved (fixed in 2.9.14+dfsg-1.3~deb12u2) bullseye: resolved (fixed in 2.9.10+dfsg-6.7+deb11u8) forky: resolved (fixed in 2.12.7+d

CVE-2024-40896 [CRITICAL] CVE-2024-40896: libxml2 - In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the S... In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved