Ubuntu alert USN-7974-1 (libxml2)

From:
             
 
noreply+usn-bot@canonical.com
To:
             
 
ubuntu-security-announce@lists.ubuntu.com
Subject:
             
 
[USN-7974-1] libxml2 vulnerabilities
Date:
             
 
Thu, 22 Jan 2026 18:14:31 +0000
Message-ID:
             
 
<E1vizCR-0001Dj-Ei@lists.ubuntu.com>
==========================================================================
Ubuntu Security Notice USN-7974-1
January 22, 2026

libxml2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in libxml2.

Software Description:
- libxml2: GNOME XML library

Details:

It was discovered that libxml2 incorrectly handled maliciously crafted SGML
catalog files. An attacker could possibly use this issue to cause libxml2
to consume excessive resources, leading to a denial of service.
(CVE-2025-8732)

It was discovered that libxml2 incorrectly handled recursive include
directories with the RelaxNG parser. An attacker could possibly use this
issue to cause libxml2 to consume excessive resources, leading to a denial
of service. (CVE-2026-0989)

Nick Wellnhofer discovered that libxml2 incorrectly parsed catalogs with
self-referencing URI delegates. An attacker could possibly use this issue
to cause libxml2 to consume excessive resources, leading to a denial of
service. (CVE-2026-0990)

Nick Wellnhofer discovered that libxml2 inefficiently parsed catalogs
linked with repeating nextCatalog elements. An attacker could possibly use
this issue to cause libxml2 to use excessive resources, leading to a denial
of service. (CVE-2026-0992)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
  libxml2-16                      2.14.5+dfsg-0.2ubuntu0.1

Ubuntu 24.04 LTS
  libxml2                         2.9.14+dfsg-1.3ubuntu3.7

Ubuntu 22.04 LTS
  libxml2                         2.9.13+dfsg-1ubuntu0.11

Ubuntu 20.04 LTS
  libxml2                         2.9.10+dfsg-5ubuntu0.20.04.10+esm4
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  libxml2                         2.9.4+dfsg1-6.1ubuntu1.9+esm7
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  libxml2                         2.9.3+dfsg1-1ubuntu0.7+esm12
                                  Available with Ubuntu Pro

Ubuntu 14.04 LTS
  libxml2                         2.9.1+dfsg1-3ubuntu4.13+esm11
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7974-1
  CVE-2025-8732, CVE-2026-0989, CVE-2026-0990, CVE-2026-0992

Package Information:
  https://launchpad.net/ubuntu/+source/libxml2/2.14.5+dfsg-...
  https://launchpad.net/ubuntu/+source/libxml2/2.9.14+dfsg-...
  https://launchpad.net/ubuntu/+source/libxml2/2.9.13+dfsg-...


Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmlyaE4ACgkQcpJm3tlz
hgEpsQ/9HUVR56/Aa40tS4+Ak+08Ha+Fxn3ms+pgW1kwKqN/KxcMjeleMdor1GDr
LSqfhQ758sVLbzYgyjGZKrIlQOgDyUTfzH9XktqCAoyq5e01fOGpHbOWWSM5w15f
+A1nT3CwKmJRa9zdGqyWFAiLGEjgcZGto2J2qgjQ2RyU6TjCwrW8YmMjR6DeKkyv
1Tw8x0u1izo3/RsITfYxbxhmFz+fRCVm/wMNB1/4M56FUIdms36ZP/VazP/ljOyU
bRpAVv6mGMrsnNoKLhOzP+gP1Ss5oqEWHtvpbqHhEusJ/cpH0oYLIidww7Htv/w9
guCuPP3F0CsSmJvW4KsiRaUkAD1iDGIUcEqTmQrko1EFbpOSvnylXGYG60CCyFTL
aOK2orH4Paxk9bA7eFhzwnZGWnwg1GfvVsNgf9ssa9YRiOBcAmBLrcqdtTQ4XUGc
nZRc5R5LEW3k04wNrsFhfwqF0+q49ZwzlBssx3TfpaRgoxS9zIQ4mOyhEZKNFIzI
n8yLq6ah7g7+RLN2r1/LXkPldAO9cCrkPUantVt41lTqVexlzJYoxL7itQmszak8
CF2hzMME3ig9xV47HYXP9BKRTwQ7idzoFmkNJmq7uxrqyMoEjRwn1S8DWDY96OMK
2+GWj7TJVf3tR3rQgkCsdadwwlux8PPpxHo9O6qvjiTQ+PlY0Jg=
=iVNo
-----END PGP SIGNATURE-----