Amazon Linux 2 Security Advisory: ALAS2-2026-3122
Advisory Released Date: 2026-01-21
Advisory Updated Date: 2026-01-21
A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all." (CVE-2025-8732)
Affected Packages:
libxml2
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update libxml2 or yum update --advisory ALAS2-2026-3122 to update your system.
aarch64:
libxml2-2.9.1-6.amzn2.5.21.aarch64
libxml2-devel-2.9.1-6.amzn2.5.21.aarch64
libxml2-static-2.9.1-6.amzn2.5.21.aarch64
libxml2-python-2.9.1-6.amzn2.5.21.aarch64
libxml2-debuginfo-2.9.1-6.amzn2.5.21.aarch64
i686:
libxml2-2.9.1-6.amzn2.5.21.i686
libxml2-devel-2.9.1-6.amzn2.5.21.i686
libxml2-static-2.9.1-6.amzn2.5.21.i686
libxml2-python-2.9.1-6.amzn2.5.21.i686
libxml2-debuginfo-2.9.1-6.amzn2.5.21.i686
src:
libxml2-2.9.1-6.amzn2.5.21.src
x86_64:
libxml2-2.9.1-6.amzn2.5.21.x86_64
libxml2-devel-2.9.1-6.amzn2.5.21.x86_64
libxml2-static-2.9.1-6.amzn2.5.21.x86_64
libxml2-python-2.9.1-6.amzn2.5.21.x86_64
libxml2-debuginfo-2.9.1-6.amzn2.5.21.x86_64