CVE-2026-6653
Received Received - Intake
Use After Free in libxml2 XML Parser

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: Canonical Ltd.

Description
Use After Free in libxml2's xmlParseInternalSubset from GNOME libxml2 version 2.9.11 to 2.11.0 allows a remote attacker to cause a denial-of-service via maliciously crafted XML input with improper entity resolution handling.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-6653
EUVD
EUVD-2026-38232
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
gnome libxml2 From 2.9.11 (inc) to 2.11.0 (exc)
gnome libxml2 2.9.14+dfsg-1.3ubuntu3.7
gnome libxml2 2.11.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-6653 is a use-after-free vulnerability in the libxml2 library, specifically in the xmlParseInternalSubset function. It affects versions from 2.9.11 up to 2.11.0. This flaw allows a remote attacker to cause memory corruption by processing maliciously crafted XML input that improperly handles entity resolution.

The vulnerability involves accessing memory that has already been freed (heap-use-after-free), which can lead to unexpected behavior or crashes. It was discovered during research on distributed fuzzing techniques and was silently fixed in version 2.11.0.

Impact Analysis

This vulnerability can be exploited remotely by an attacker who sends specially crafted XML data to an application using the affected libxml2 versions. The impact is primarily a denial-of-service condition caused by memory corruption, which can crash the application or system processing the XML.

Because the vulnerability involves unauthorized memory access, it could potentially be leveraged for more severe attacks, but the primary confirmed impact is denial-of-service.

Detection Guidance

This vulnerability involves a heap-use-after-free in the xmlParseInternalSubset function of libxml2 when processing malformed XML input. Detection can involve analyzing XML inputs that trigger memory corruption or crashes in libxml2 versions 2.9.11 to 2.11.0.

A proof-of-concept (PoC) exists that demonstrates the issue, which can be used to test if your system is vulnerable by feeding crafted XML inputs to applications using libxml2.

Since the vulnerability is related to malformed XML processing, you can attempt to detect it by running fuzzing tools or test scripts that send malicious XML payloads to services or applications using libxml2.

No specific commands are provided in the available resources, but you can check your libxml2 version with commands like:

  • dpkg -l | grep libxml2
  • xml2-config --version

If your version is between 2.9.11 and 2.11.0 (exclusive), your system is potentially vulnerable.

Mitigation Strategies

The vulnerability was silently fixed in libxml2 version 2.11.0. Therefore, the immediate mitigation step is to upgrade libxml2 to version 2.11.0 or later.

If upgrading is not immediately possible, consider restricting or sanitizing XML inputs to applications using libxml2 to prevent processing of maliciously crafted XML that could trigger the vulnerability.

Additionally, monitor for updates or patches from your operating system vendor, such as Ubuntu, which has addressed this issue in libxml2 version 2.9.14+dfsg-1.3ubuntu3.7 for Ubuntu 24.04.3 LTS.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6653. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart