Skip to main content

libxml2 EUVDEUVD-2026-38232

| CVE-2026-6653 HIGH
Use After Free (CWE-416)
2026-06-22 canonical GHSA-v4qw-p44r-qhfg
7.0
CVSS 4.0 · Vendor: canonical
Share

Severity by source

Vendor (canonical) PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

Remotely reachable via crafted XML with no auth or interaction; UAF triggering depends on heap/entity ordering so AC:H; description limits impact to denial of service, hence C:N/I:N/A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.9 MEDIUM
qualitative

Primary rating from Vendor (canonical).

CVSS VectorVendor: canonical

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 22, 2026 - 15:02 EUVD
Analysis Generated
Jun 22, 2026 - 14:03 vuln.today

DescriptionCVE.org

Use After Free in libxml2's xmlParseInternalSubset from GNOME libxml2 version 2.9.11 to 2.11.0 allows a remote attacker to cause a denial-of-service via maliciously crafted XML input with improper entity resolution handling.

AnalysisAI

Use-after-free in libxml2's xmlParseInternalSubset function affects GNOME libxml2 versions 2.9.11 through 2.11.0 and can be triggered remotely by crafted XML containing abusive entity resolution, leading to denial of service of any application that parses untrusted XML with this library. Publicly available exploit code exists (CVSS 4.0 E:P) but the issue is not listed in CISA KEV, indicating proof-of-concept demonstration rather than confirmed active exploitation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify XML-accepting endpoint backed by libxml2
Delivery
Craft DOCTYPE with malicious internal-subset entities
Exploit
Submit document to parser
Execution
Trigger UAF in xmlParseInternalSubset
Impact
Crash parser worker / denial of service

Vulnerability AssessmentAI

Exploitation The target application must link against GNOME libxml2 in the 2.9.11-2.11.0 range and must parse attacker-controlled XML with DTD/internal-subset processing enabled (the xmlParseInternalSubset code path is only reached when the document contains a DOCTYPE declaration with an inline '[...]' subset and entity resolution is permitted). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mixed and worth reading carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a specially crafted XML document - for example via a public SOAP endpoint, SAML assertion, RSS feed, OOXML upload, or configuration import - whose DOCTYPE internal subset contains entity declarations engineered to trigger the dangling-pointer condition in xmlParseInternalSubset. When the libxml2-backed parser processes the internal subset, the freed entity object is dereferenced, crashing the worker process and denying service; given that proof-of-concept code exists per CVSS E:P, weaponization against any internet-exposed XML parser using a vulnerable libxml2 build is straightforward, though the AC:H rating implies the crash may not be deterministic on every run.
Remediation No vendor-released patched libxml2 version is identified at time of analysis - the available references point to a GNOME GitLab work item and a Launchpad bug rather than a tagged release, so monitor https://gitlab.gnome.org/GNOME/libxml2/-/work_items/1058 for the fix commit and upgrade to the first GNOME-tagged release above 2.11.0 that explicitly references CVE-2026-6653, and pick up the corresponding distribution backport (Ubuntu USN tied to LP#2141260) when published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit systems and applications using libxml2 2.9.11-2.11.0; categorize by whether they parse external or untrusted XML. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-6021 HIGH POC
7.5 Jun 12

Stack-based buffer overflow in libxml2's xmlBuildQName function allows remote unauthenticated attackers to crash affecte

CVE-2016-4658 CRITICAL
9.8 Sep 25

xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS befor

CVE-2016-1762 HIGH POC
8.1 Mar 24

The xmlNextChar function in libxml2 before 2.9.4 allows remote attackers to cause a denial of service (heap-based buffer

CVE-2016-1834 HIGH POC
7.8 May 20

Heap-based buffer overflow in the xmlStrncat function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X b

CVE-2016-1840 HIGH POC
7.8 May 20

Heap-based buffer overflow in the xmlFAParsePosCharGroup function in libxml2 before 2.9.4, as used in Apple iOS before 9

CVE-2017-9047 HIGH POC
7.5 May 18

A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. Rated high severity (CVSS 7.5), this vulnerabil

CVE-2016-4447 HIGH POC
7.5 Jun 09

The xmlParseElementDecl function in parser.c in libxml2 before 2.9.4 allows context-dependent attackers to cause a denia

CVE-2017-16932 HIGH
7.5 Nov 23

parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities. Rated high severity (CVSS 7.

CVE-2016-4483 HIGH POC
7.5 Apr 11

The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial

CVE-2013-1969 HIGH POC
7.5 Apr 25

Multiple use-after-free vulnerabilities in libxml2 2.9.0 and possibly other versions might allow context-dependent attac

CVE-2016-1839 MEDIUM POC
5.5 May 20

The xmlDictAddString function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS befo

CVE-2016-1838 MEDIUM POC
5.5 May 20

The xmlPArserPrintFileContextInternal function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 1

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.4 Affected
SUSE Linux Enterprise Micro 5.5 Affected

Share

EUVD-2026-38232 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy