CVE-2026-0990

EUVD-2026-2797
A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 50%
Affected Products (NVD)
VendorProductVersion
redhathardened_images
-
redhatjboss_core_services
-
redhatopenshift_container_platform
4.0
redhatenterprise_linux
6.0
redhatenterprise_linux
7.0
redhatenterprise_linux
8.0
redhatenterprise_linux
9.0
redhatenterprise_linux
10.0
ibmvios
4.1.0 ≤
𝑥
< 4.1.1.30
ibmvios
4.1.2.0
ibmaix
7.2.5 ≤
𝑥
< 7.2.5.12
ibmaix
7.3.2 ≤
𝑥
< 7.3.3.3
ibmaix
7.3.4
xmlsoftlibxml2
𝑥
< 2.15.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libxml2
bookworm
2.9.14+dfsg-1.3~deb12u6
fixed
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
2.9.10+dfsg-6.7+deb11u10
fixed
forky
2.15.3+dfsg-1
fixed
sid
2.15.3+dfsg-1
fixed
trixie
2.12.7+dfsg+really2.9.14-2.1+deb13u3
fixed
trixie (security)
vulnerable
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libxml2-2
suse enterprise desktop 15 SP7
2.12.10-150700.4.11.1
fixed
suse enterprise sap 15 SP7
2.12.10-150700.4.11.1
fixed
suse enterprise server 12 SP3
2.9.4-46.99.1
fixed
suse enterprise server 15 SP4
2.9.14-150400.5.55.1
fixed
suse enterprise server 15 SP7
2.12.10-150700.4.11.1
fixed
libxml2-2-32bit
suse enterprise desktop 15 SP7
2.12.10-150700.4.11.1
fixed
suse enterprise sap 15 SP7
2.12.10-150700.4.11.1
fixed
suse enterprise server 12 SP3
2.9.4-46.99.1
fixed
suse enterprise server 15 SP4
2.9.14-150400.5.55.1
fixed
suse enterprise server 15 SP7
2.12.10-150700.4.11.1
fixed
libxml2-devel
suse enterprise desktop 15 SP7
2.12.10-150700.4.11.1
fixed
suse enterprise sap 15 SP7
2.12.10-150700.4.11.1
fixed
suse enterprise server 15 SP4
2.9.14-150400.5.55.1
fixed
suse enterprise server 15 SP7
2.12.10-150700.4.11.1
fixed
libxml2-doc
suse enterprise server 12 SP3
2.9.4-46.99.1
fixed
libxml2-tools
suse enterprise desktop 15 SP7
2.12.10-150700.4.11.1
fixed
suse enterprise sap 15 SP7
2.12.10-150700.4.11.1
fixed
suse enterprise server 12 SP3
2.9.4-46.99.1
fixed
suse enterprise server 15 SP4
2.9.14-150400.5.55.1
fixed
suse enterprise server 15 SP7
2.12.10-150700.4.11.1
fixed
python-libxml2
suse enterprise server 12 SP3
2.9.4-46.99.1
fixed
python3-libxml2
suse enterprise desktop 15 SP7
2.12.10-150700.4.11.1
fixed
suse enterprise sap 15 SP7
2.12.10-150700.4.11.1
fixed
suse enterprise server 15 SP4
2.9.14-150400.5.55.1
fixed
suse enterprise server 15 SP7
2.12.10-150700.4.11.1
fixed
python311-libxml2
suse enterprise server 15 SP4
2.9.14-150400.5.55.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
libxml2
Amazon Linux 2
0:2.9.1-6.amzn2.5.22
fixed
Amazon Linux 2023
0:2.10.4-1.amzn2023.0.16
fixed
libxml2-debuginfo
Amazon Linux 2
0:2.9.1-6.amzn2.5.22
fixed
Amazon Linux 2023
0:2.10.4-1.amzn2023.0.16
fixed
libxml2-debugsource
Amazon Linux 2023
0:2.10.4-1.amzn2023.0.16
fixed
libxml2-devel
Amazon Linux 2
0:2.9.1-6.amzn2.5.22
fixed
Amazon Linux 2023
0:2.10.4-1.amzn2023.0.16
fixed
libxml2-python
Amazon Linux 2
0:2.9.1-6.amzn2.5.22
fixed
libxml2-static
Amazon Linux 2
0:2.9.1-6.amzn2.5.22
fixed
Amazon Linux 2023
0:2.10.4-1.amzn2023.0.16
fixed
python3-libxml2
Amazon Linux 2023
0:2.10.4-1.amzn2023.0.16
fixed
python3-libxml2-debuginfo
Amazon Linux 2023
0:2.10.4-1.amzn2023.0.16
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
libxml2
Azure Linux 3.0
0:2.11.5-9.azl3
fixed
CBL-Mariner 2.0
0:2.10.4-10.cm2
fixed