Skip to content

build/deps: upgrade libxml2 to v2.15.3 (CVE-2026-6732)#30392

Open
tyson-redpanda wants to merge 1 commit intodevfrom
snyk/cve-2026-6732-libxml2-2.15.3
Open

build/deps: upgrade libxml2 to v2.15.3 (CVE-2026-6732)#30392
tyson-redpanda wants to merge 1 commit intodevfrom
snyk/cve-2026-6732-libxml2-2.15.3

Conversation

@tyson-redpanda
Copy link
Copy Markdown
Contributor

@tyson-redpanda tyson-redpanda commented May 6, 2026

Upgrades libxml2 from 2.15.2 to 2.15.3 to fix CVE-2026-6732 (type confusion vulnerability in XSD validation with internal entity references, CVSS 7.1 High). This branch uses libxml2 via the Bazel Central Registry — 2.15.3 may not yet be published to BCR; CI will confirm. Backports to v26.1.x and v25.3.x are handled separately via vtools/S3.

Backports Required

  • none - not a bug fix
  • none - this is a backport
  • none - issue does not exist in previous branches
  • none - papercut/not impactful enough to backport
  • v26.1.x
  • v25.3.x
  • v25.2.x

Release Notes

Bug Fixes

  • Upgraded libxml2 to v2.15.3 to fix CVE-2026-6732 type confusion vulnerability in XSD validation.

FIXES=CORE-16201

@tyson-redpanda
build/deps: upgrade libxml2 to v2.15.3 (CVE-2026-6732)
e218d26 
Fixes type confusion vulnerability in XSD validation with internal
entity references. Upgrades from 2.15.2 to 2.15.3.
This was referenced May 6, 2026
Merged
Merged
@tyson-redpanda tyson-redpanda marked this pull request as ready for review May 7, 2026 12:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/build

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tyson-redpanda