CVE-2026-6653
Publication date 22 June 2026
Last updated 26 June 2026
Ubuntu priority
Description
Use After Free in libxml2's xmlParseInternalSubset from GNOME libxml2 version 2.9.11 to 2.11.0 allows a remote attacker to cause a denial-of-service via maliciously crafted XML input with improper entity resolution handling.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libxml2 | 26.04 LTS resolute |
Not affected
|
| 25.10 questing |
Not affected
|
|
| 24.04 LTS noble |
Fixed 2.9.14+dfsg-1.3ubuntu3.8
|
|
| 22.04 LTS jammy |
Fixed 2.9.13+dfsg-1ubuntu0.12
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Severity score breakdown
CVSS version: CVSS v4.0
Base score
7.0 · High
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
References
Related Ubuntu Security Notices (USN)
- USN-8456-1
- libxml2 vulnerability
- 22 June 2026