Security update for libxml2

Announcement ID:	SUSE-SU-2026:0782-1
Release Date:	2026-03-03T13:35:15Z
Rating:	moderate
References:	bsc#1250553 bsc#1256807 bsc#1256808 bsc#1256809 bsc#1256811 bsc#1256812 bsc#1257593 bsc#1257594 bsc#1257595
Cross-References:	CVE-2025-10911 CVE-2026-0990 CVE-2026-0992 CVE-2026-1757
CVSS scores:	CVE-2025-10911 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-10911 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2025-10911 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2026-0990 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-0990 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-0990 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-0992 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2026-0992 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-0992 ( NVD ): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-1757 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2026-1757 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2026-1757 ( NVD ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves four vulnerabilities and has five security fixes can now be installed.

Description:

This update for libxml2 fixes the following issues:

• CVE-2026-0990: Fixed a call stack overflow leading to application crash due to infinite recursion in xmlCatalogXMLResolveURI. (bsc#1256807, bsc#1256811)
• CVE-2026-0992: Fixed an excessive resource consumption when processing XML catalogs due to exponential behavior. (bsc#1256809, bsc#1256812)
• CVE-2026-1757: Fixed a memory leak in the xmllint interactive shell. (bsc#1257594, bsc#1257595)
• CVE-2025-10911: Fixed a use-after-free with key data stored cross-RVT. (bsc#1250553)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-782=1

Package List:

• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64)
  • libxml2-2-debuginfo-32bit-2.9.4-46.99.1
  • libxml2-2-2.9.4-46.99.1
  • libxml2-debugsource-2.9.4-46.99.1
  • libxml2-tools-2.9.4-46.99.1
  • python-libxml2-debuginfo-2.9.4-46.99.1
  • python-libxml2-debugsource-2.9.4-46.99.1
  • libxml2-2-debuginfo-2.9.4-46.99.1
  • libxml2-tools-debuginfo-2.9.4-46.99.1
  • python-libxml2-2.9.4-46.99.1
  • libxml2-2-32bit-2.9.4-46.99.1
  • libxml2-devel-2.9.4-46.99.1
• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (noarch)
  • libxml2-doc-2.9.4-46.99.1

References:

• https://www.suse.com/security/cve/CVE-2025-10911.html
• https://www.suse.com/security/cve/CVE-2026-0990.html
• https://www.suse.com/security/cve/CVE-2026-0992.html
• https://www.suse.com/security/cve/CVE-2026-1757.html
• https://bugzilla.suse.com/show_bug.cgi?id=1250553
• https://bugzilla.suse.com/show_bug.cgi?id=1256807
• https://bugzilla.suse.com/show_bug.cgi?id=1256808
• https://bugzilla.suse.com/show_bug.cgi?id=1256809
• https://bugzilla.suse.com/show_bug.cgi?id=1256811
• https://bugzilla.suse.com/show_bug.cgi?id=1256812
• https://bugzilla.suse.com/show_bug.cgi?id=1257593
• https://bugzilla.suse.com/show_bug.cgi?id=1257594
• https://bugzilla.suse.com/show_bug.cgi?id=1257595