Description
Use After Free in libxml2's xmlParseInternalSubset from GNOME libxml2 version 2.9.11 to 2.11.0 allows a remote attacker to cause a denial-of-service via maliciously crafted XML input with improper entity resolution handling.
Published: 2026-06-22
Score: 7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Use‑after‑free occurs when libxml2 parses the internal subset of XML documents. A malformed XML document that references an entity resolves to a dangling pointer, allowing an attacker to trigger a crash during parsing. The crash causes an unauthenticated, remote denial‑of‑service because the parsing thread exits unexpectedly without restoring the library state. This weakness is labeled CWE‑416 (Use After Free) and CWE‑611 (Improper Restriction of XML External Entity Reference).

Affected Systems

GNOME libxml2, versions from 2.9.11 through 2.11.0, inclusive. Any program that depends on these library versions and processes externally supplied XML exposes the described flaw.

Risk and Exploitability

The vulnerability has a CVSS score of 7, indicating a high risk of denial of service. The EPSS score is not available, so the current evidence of exploitation probability is unknown, and it is not listed in the CISA KEV catalog. Attackers can exploit this flaw remotely by supplying malicious XML to any service that uses libxml2. An unpatched library will terminate, leading to service disruptions. The risk is elevated for publicly reachable applications that automatically parse XML. For internal or isolated systems, the risk is reduced but present if untrusted XML is ingested.

Generated by OpenCVE AI on June 22, 2026 at 14:40 UTC.

Remediation

Vendor Solution

Upgrade to libxml2 version 2.11.0 or later

OpenCVE Recommended Actions

  • Upgrade libxml2 to version 2.11.0 or later, which removes the use‑after‑free in xmlParseInternalSubset.
  • Restart all services that link against libxml2 so that the updated library is loaded into their process space.
  • If an immediate upgrade is not possible, restrict XML input to trusted sources or configure the parser to disallow external entity resolution where supported.

Generated by OpenCVE AI on June 22, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Use After Free in libxml2's xmlParseInternalSubset from GNOME libxml2 version 2.9.11 to 2.11.0 allows a remote attacker to cause a denial-of-service via maliciously crafted XML input with improper entity resolution handling.
Title libxml2: Use after free in xmlParseInternalSubset via improper entity resolution handling
Weaknesses CWE-416
CWE-611
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-06-22T12:40:31.424Z

Reserved: 2026-04-20T06:37:45.271Z

Link: CVE-2026-6653

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T14:45:05Z

Weaknesses
  • CWE-416

    Use After Free

  • CWE-611

    Improper Restriction of XML External Entity Reference