CVE-2026-6653 PUBLISHED

libxml2: Use after free in xmlParseInternalSubset via improper entity resolution handling

Assigner: canonical
Reserved: 20.04.2026 Published: 22.06.2026 Updated: 22.06.2026

Use After Free in libxml2's xmlParseInternalSubset from GNOME libxml2 version 2.9.11 to 2.11.0 allows a remote attacker to cause a denial-of-service via maliciously crafted XML input with improper entity resolution handling.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
CVSS Score: 7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	High	Integrity	Low	Integrity	None
Attack Requirements	None	Availability	Low	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	GNOME
Product	libxml2
Versions	Default: unaffected affected from 2.9.11 to 2.11.0 (excl.)

Solutions

Upgrade to libxml2 version 2.11.0 or later

Credits

Geoffrey Humphreys finder

References

Problem Types

CWE-416 Use after free CWE
CWE-611 Improper Restriction of XML External Entity Processing CWE

Impacts

CAPEC-242 Code Injection