Detections
Analytics

Debian dla-4622 : libxml2 - security update

medium Nessus Plugin ID 319670

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4622 advisory.

 ------------------------------------------------------------------------- Debian LTS Advisory DLA-4622-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin June 08, 2026 https://wiki.debian.org/LTS
 -------------------------------------------------------------------------

 Package : libxml2 Version : 2.9.10+dfsg-6.7+deb11u10 CVE ID : CVE-2025-8732 CVE-2026-0989 CVE-2026-0990 CVE-2026-0992 CVE-2026-1757 Debian Bug : 1125691 1125695 1125696

 Multiple security issues were found in libxml2, the GNOME XML library, which could lead to Denial of Service.

 CVE-2025-8732

 Catalog parsing functions were missing cycle detection. When a catalog file contains a CATALOG directive pointing to itself, `xmlExpandCatalog()` and `xmlParseSGMLCatalog()` recursively call each other without bounds until stack overflow.

 CVE-2026-0989

 The RelaxNG parser does not limit the recursion depth when resolving `<include>` directives, which may lead to stack overflow on malicious RelaxNG schema file.

 CVE-2026-0990

 Nick Wellnhofer discovered that `xmlCatalogXMLResolveURI()` will recurse infinitely if a catalog has a URI delegate referencing itself, eventually resulting in a call stack overflow.

 CVE-2026-0992

 Nick Wellnhofer discovered that processing a chain of XML catalogs linked with `<nextCatalog>` and having the `<nextCatalog>` element takes exponential time, leading to denial of service via resource exhaustion.

 CVE-2026-1757

 The command parsing logic of the xmllint(1) interactive shell was found to leak memory.

 In addition, a few other security issues were found for which no CVE ID was assigned yet:

 * Memory leak of prefix in `xmlTextWriterStartElementNS()`.

 * Potential use-after-free issue in `xmlRelaxNGValidateValue()`.

 * Memory leak in `xmlTextWriterStartAttributeNS()`.

 * Additional memory leaks on error paths in schematron.

 * Stack overflow from self-referencing SGML CATALOG entries.

 For Debian 11 bullseye, these problems have been fixed in version 2.9.10+dfsg-6.7+deb11u10.

 We recommend that you upgrade your libxml2 packages.

 For the detailed security status of libxml2 please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/libxml2

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
 signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the libxml2 packages.

See Also

https://security-tracker.debian.org/tracker/source-package/libxml2

https://security-tracker.debian.org/tracker/CVE-2025-8732

https://security-tracker.debian.org/tracker/CVE-2026-0989

https://security-tracker.debian.org/tracker/CVE-2026-0990

https://security-tracker.debian.org/tracker/CVE-2026-0992

https://security-tracker.debian.org/tracker/CVE-2026-1757

https://packages.debian.org/source/bullseye/libxml2

Plugin Details

Severity: Medium

ID: 319670

File Name: debian_DLA-4622.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 6/8/2026

Updated: 6/8/2026

Supported Sensors: Continuous Assessment, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Low

Base Score: 1.7

Temporal Score: 1.3

Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:P

CVSS Score Source: CVE-2025-8732

CVSS v3

Risk Factor: Medium

Base Score: 6.2

Temporal Score: 5.4

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2026-1757

CVSS v4

Risk Factor: Medium

Base Score: 4.8

Threat Score: 1.1

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:python3-libxml2-dbg, p-cpe:/a:debian:debian_linux:python3-libxml2, p-cpe:/a:debian:debian_linux:libxml2-utils, p-cpe:/a:debian:debian_linux:libxml2-dev, p-cpe:/a:debian:debian_linux:libxml2, p-cpe:/a:debian:debian_linux:libxml2-doc

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 6/8/2026

Vulnerability Publication Date: 8/8/2025

Reference Information

CVE: CVE-2025-8732, CVE-2026-0989, CVE-2026-0990, CVE-2026-0992, CVE-2026-1757

IAVA: 2025-A-0840-S