Loading
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
Use Oracle vendor hub and Jdk product page to widen CVE-2009-2625 into its surrounding weakness, vendor, and product context.
Compare it with CVE-2026-34282, CVE-2026-22016 and CVE-2026-21945 for nearby disclosures in the same product family.