An update for libxml2 is now available for openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2,openEuler-24.03-LTS-SP3,openEuler-20.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-1598 Final 1.0 1.0 2026-03-15 Initial 2026-03-15 2026-03-15 openEuler SA Tool V1.0 2026-03-15 libxml2 security update An update for libxml2 is now available for openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2,openEuler-24.03-LTS-SP3,openEuler-20.03-LTS-SP4 This library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM like representations. In this case one can use the built-in XPath and XPointer implementation to select sub nodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to an URI library. Security Fix(es): A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all."(CVE-2025-8732) A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.(CVE-2026-0989) A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.(CVE-2026-0990) A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.(CVE-2026-0992) An update for libxml2 is now available for openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2,openEuler-24.03-LTS-SP3,openEuler-20.03-LTS-SP4. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium libxml2 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1598 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-8732 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-0989 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-0990 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-0992 https://nvd.nist.gov/vuln/detail/CVE-2025-8732 https://nvd.nist.gov/vuln/detail/CVE-2026-0989 https://nvd.nist.gov/vuln/detail/CVE-2026-0990 https://nvd.nist.gov/vuln/detail/CVE-2026-0992 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 libxml2-help-2.9.14-26.oe2203sp4.noarch.rpm libxml2-help-2.11.5-15.oe2403.noarch.rpm libxml2-help-2.11.9-12.oe2403sp1.noarch.rpm libxml2-help-2.11.9-12.oe2403sp2.noarch.rpm libxml2-help-2.11.9-12.oe2403sp3.noarch.rpm libxml2-help-2.9.10-55.oe2003sp4.noarch.rpm libxml2-2.9.14-26.oe2203sp4.aarch64.rpm libxml2-debuginfo-2.9.14-26.oe2203sp4.aarch64.rpm libxml2-debugsource-2.9.14-26.oe2203sp4.aarch64.rpm libxml2-devel-2.9.14-26.oe2203sp4.aarch64.rpm python3-libxml2-2.9.14-26.oe2203sp4.aarch64.rpm libxml2-2.11.5-15.oe2403.aarch64.rpm libxml2-debuginfo-2.11.5-15.oe2403.aarch64.rpm libxml2-debugsource-2.11.5-15.oe2403.aarch64.rpm libxml2-devel-2.11.5-15.oe2403.aarch64.rpm python3-libxml2-2.11.5-15.oe2403.aarch64.rpm libxml2-2.11.9-12.oe2403sp1.aarch64.rpm libxml2-debuginfo-2.11.9-12.oe2403sp1.aarch64.rpm libxml2-debugsource-2.11.9-12.oe2403sp1.aarch64.rpm libxml2-devel-2.11.9-12.oe2403sp1.aarch64.rpm python3-libxml2-2.11.9-12.oe2403sp1.aarch64.rpm libxml2-2.11.9-12.oe2403sp2.aarch64.rpm libxml2-debuginfo-2.11.9-12.oe2403sp2.aarch64.rpm libxml2-debugsource-2.11.9-12.oe2403sp2.aarch64.rpm libxml2-devel-2.11.9-12.oe2403sp2.aarch64.rpm python3-libxml2-2.11.9-12.oe2403sp2.aarch64.rpm libxml2-2.11.9-12.oe2403sp3.aarch64.rpm libxml2-debuginfo-2.11.9-12.oe2403sp3.aarch64.rpm libxml2-debugsource-2.11.9-12.oe2403sp3.aarch64.rpm libxml2-devel-2.11.9-12.oe2403sp3.aarch64.rpm python3-libxml2-2.11.9-12.oe2403sp3.aarch64.rpm libxml2-2.9.10-55.oe2003sp4.aarch64.rpm libxml2-debuginfo-2.9.10-55.oe2003sp4.aarch64.rpm libxml2-debugsource-2.9.10-55.oe2003sp4.aarch64.rpm libxml2-devel-2.9.10-55.oe2003sp4.aarch64.rpm python2-libxml2-2.9.10-55.oe2003sp4.aarch64.rpm python3-libxml2-2.9.10-55.oe2003sp4.aarch64.rpm libxml2-2.9.14-26.oe2203sp4.src.rpm libxml2-2.11.5-15.oe2403.src.rpm libxml2-2.11.9-12.oe2403sp1.src.rpm libxml2-2.11.9-12.oe2403sp2.src.rpm libxml2-2.11.9-12.oe2403sp3.src.rpm libxml2-2.9.10-55.oe2003sp4.src.rpm libxml2-2.9.14-26.oe2203sp4.x86_64.rpm libxml2-debuginfo-2.9.14-26.oe2203sp4.x86_64.rpm libxml2-debugsource-2.9.14-26.oe2203sp4.x86_64.rpm libxml2-devel-2.9.14-26.oe2203sp4.x86_64.rpm python3-libxml2-2.9.14-26.oe2203sp4.x86_64.rpm libxml2-2.11.5-15.oe2403.x86_64.rpm libxml2-debuginfo-2.11.5-15.oe2403.x86_64.rpm libxml2-debugsource-2.11.5-15.oe2403.x86_64.rpm libxml2-devel-2.11.5-15.oe2403.x86_64.rpm python3-libxml2-2.11.5-15.oe2403.x86_64.rpm libxml2-2.11.9-12.oe2403sp1.x86_64.rpm libxml2-debuginfo-2.11.9-12.oe2403sp1.x86_64.rpm libxml2-debugsource-2.11.9-12.oe2403sp1.x86_64.rpm libxml2-devel-2.11.9-12.oe2403sp1.x86_64.rpm python3-libxml2-2.11.9-12.oe2403sp1.x86_64.rpm libxml2-2.11.9-12.oe2403sp2.x86_64.rpm libxml2-debuginfo-2.11.9-12.oe2403sp2.x86_64.rpm libxml2-debugsource-2.11.9-12.oe2403sp2.x86_64.rpm libxml2-devel-2.11.9-12.oe2403sp2.x86_64.rpm python3-libxml2-2.11.9-12.oe2403sp2.x86_64.rpm libxml2-2.11.9-12.oe2403sp3.x86_64.rpm libxml2-debuginfo-2.11.9-12.oe2403sp3.x86_64.rpm libxml2-debugsource-2.11.9-12.oe2403sp3.x86_64.rpm libxml2-devel-2.11.9-12.oe2403sp3.x86_64.rpm python3-libxml2-2.11.9-12.oe2403sp3.x86_64.rpm libxml2-2.9.10-55.oe2003sp4.x86_64.rpm libxml2-debuginfo-2.9.10-55.oe2003sp4.x86_64.rpm libxml2-debugsource-2.9.10-55.oe2003sp4.x86_64.rpm libxml2-devel-2.9.10-55.oe2003sp4.x86_64.rpm python2-libxml2-2.9.10-55.oe2003sp4.x86_64.rpm python3-libxml2-2.9.10-55.oe2003sp4.x86_64.rpm A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all." 2026-03-15 CVE-2025-8732 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 Low 3.3 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L libxml2 security update 2026-03-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1598 A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk. 2026-03-15 CVE-2026-0989 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 Low 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L libxml2 security update 2026-03-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1598 A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications. 2026-03-15 CVE-2026-0990 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 Medium 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H libxml2 security update 2026-03-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1598 A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition. 2026-03-15 CVE-2026-0992 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 Low 2.9 AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L libxml2 security update 2026-03-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1598