ipuustin
commented
7 years ago libxml2 is a widely used component in the distribution (11 direct reverse dependencies), so it's difficult to estimate the vulnerability score. However, at least libsoup will parse network-provided xml files. It's safe to assume that the vulnerabilty score will be high. The fix to the bug appears to be still not merged to libxml2 git repository.
See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9318 and https://bugzilla.gnome.org/show_bug.cgi?id=772726 . The initial CVSSv3 vulnerabiilty score is 7.8 (high).