Description
Use After Free in libxml2's xmlParseInternalSubset from GNOME libxml2 version 2.9.11 to 2.11.0 allows a remote attacker to cause a denial-of-service via maliciously crafted XML input with improper entity resolution handling.
Published: 2026-06-22
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Use‑after‑free occurs when libxml2 parses the internal subset of XML documents. A malformed XML document that references an entity resolves to a dangling pointer, allowing an attacker to trigger a crash during parsing. The crash causes an unauthenticated, remote denial‑of‑service because the parsing thread exits unexpectedly without restoring the library state. This weakness is labeled CWE‑416 (Use After Free) and CWE‑611 (Improper Restriction of XML External Entity Reference).

Affected Systems

GNOME libxml2, versions from 2.9.11 through 2.11.0, inclusive. Any program that depends on these library versions and processes externally supplied XML exposes the described flaw.

Risk and Exploitability

The vulnerability has a CVSS score of 7, indicating a high risk of denial of service. The EPSS score is not available, so the current evidence of exploitation probability is unknown, and it is not listed in the CISA KEV catalog. Attackers can exploit this flaw remotely by supplying malicious XML to any service that uses libxml2. An unpatched library will terminate, leading to service disruptions. The risk is elevated for publicly reachable applications that automatically parse XML. For internal or isolated systems, the risk is reduced but present if untrusted XML is ingested.

Generated by OpenCVE AI on June 22, 2026 at 14:40 UTC.

Remediation

Vendor Solution

Upgrade to libxml2 version 2.11.0 or later


OpenCVE Recommended Actions

  • Upgrade libxml2 to version 2.11.0 or later, which removes the use‑after‑free in xmlParseInternalSubset.
  • Restart all services that link against libxml2 so that the updated library is loaded into their process space.
  • If an immediate upgrade is not possible, restrict XML input to trusted sources or configure the parser to disallow external entity resolution where supported.

Generated by OpenCVE AI on June 22, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8456-1 libxml2 vulnerability
History

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Mon, 22 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Gnome
Gnome libxml2
Vendors & Products Gnome
Gnome libxml2

Mon, 22 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Use After Free in libxml2's xmlParseInternalSubset from GNOME libxml2 version 2.9.11 to 2.11.0 allows a remote attacker to cause a denial-of-service via maliciously crafted XML input with improper entity resolution handling.
Title libxml2: Use after free in xmlParseInternalSubset via improper entity resolution handling
Weaknesses CWE-416
CWE-611
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-06-22T15:51:11.554Z

Reserved: 2026-04-20T06:37:45.271Z

Link: CVE-2026-6653

cve-icon Vulnrichment

Updated: 2026-06-22T15:51:06.224Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T12:40:31Z

Links: CVE-2026-6653 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T15:45:03Z

Weaknesses
  • CWE-416

    Use After Free

  • CWE-611

    Improper Restriction of XML External Entity Reference