ALAS2-2026-3144

References: CVE-2026-0990  CVE-2026-0992 
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications. (CVE-2026-0990)

A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition. (CVE-2026-0992)

Issue Correction:
Run yum update libxml2 or yum update --advisory ALAS2-2026-3144 to update your system.

New Packages:

aarch64:
    libxml2-2.9.1-6.amzn2.5.22.aarch64
    libxml2-devel-2.9.1-6.amzn2.5.22.aarch64
    libxml2-static-2.9.1-6.amzn2.5.22.aarch64
    libxml2-python-2.9.1-6.amzn2.5.22.aarch64
    libxml2-debuginfo-2.9.1-6.amzn2.5.22.aarch64

i686:
    libxml2-2.9.1-6.amzn2.5.22.i686
    libxml2-devel-2.9.1-6.amzn2.5.22.i686
    libxml2-static-2.9.1-6.amzn2.5.22.i686
    libxml2-python-2.9.1-6.amzn2.5.22.i686
    libxml2-debuginfo-2.9.1-6.amzn2.5.22.i686

src:
    libxml2-2.9.1-6.amzn2.5.22.src

x86_64:
    libxml2-2.9.1-6.amzn2.5.22.x86_64
    libxml2-devel-2.9.1-6.amzn2.5.22.x86_64
    libxml2-static-2.9.1-6.amzn2.5.22.x86_64
    libxml2-python-2.9.1-6.amzn2.5.22.x86_64
    libxml2-debuginfo-2.9.1-6.amzn2.5.22.x86_64