CVE-2026-0992

EUVD-2026-2795
A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
2.9 LOW
LOCAL
HIGH
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 22%
Affected Products (NVD)
VendorProductVersion
redhathardened_images
-
redhatjboss_core_services
-
redhatopenshift_container_platform
4.0
redhatenterprise_linux
6.0
redhatenterprise_linux
7.0
redhatenterprise_linux
8.0
redhatenterprise_linux
9.0
redhatenterprise_linux
10.0
ibmvios
4.1.0 ≤
𝑥
< 4.1.1.30
ibmvios
4.1.2.0
ibmaix
7.2.5 ≤
𝑥
< 7.2.5.12
ibmaix
7.3.2 ≤
𝑥
< 7.3.3.3
ibmaix
7.3.4
xmlsoftlibxml2
𝑥
< 2.15.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libxml2
bookworm
2.9.14+dfsg-1.3~deb12u6
fixed
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
2.9.10+dfsg-6.7+deb11u10
fixed
forky
2.15.3+dfsg-1
fixed
sid
2.15.3+dfsg-1
fixed
trixie
2.12.7+dfsg+really2.9.14-2.1+deb13u3
fixed
trixie (security)
vulnerable
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libxml2-2
suse enterprise desktop 15 SP7
2.12.10-150700.4.11.1
fixed
suse enterprise sap 15 SP7
2.12.10-150700.4.11.1
fixed
suse enterprise server 12 SP3
2.9.4-46.99.1
fixed
suse enterprise server 15 SP4
2.9.14-150400.5.55.1
fixed
suse enterprise server 15 SP7
2.12.10-150700.4.11.1
fixed
libxml2-2-32bit
suse enterprise desktop 15 SP7
2.12.10-150700.4.11.1
fixed
suse enterprise sap 15 SP7
2.12.10-150700.4.11.1
fixed
suse enterprise server 12 SP3
2.9.4-46.99.1
fixed
suse enterprise server 15 SP4
2.9.14-150400.5.55.1
fixed
suse enterprise server 15 SP7
2.12.10-150700.4.11.1
fixed
libxml2-devel
suse enterprise desktop 15 SP7
2.12.10-150700.4.11.1
fixed
suse enterprise sap 15 SP7
2.12.10-150700.4.11.1
fixed
suse enterprise server 15 SP4
2.9.14-150400.5.55.1
fixed
suse enterprise server 15 SP7
2.12.10-150700.4.11.1
fixed
libxml2-doc
suse enterprise server 12 SP3
2.9.4-46.99.1
fixed
libxml2-tools
suse enterprise desktop 15 SP7
2.12.10-150700.4.11.1
fixed
suse enterprise sap 15 SP7
2.12.10-150700.4.11.1
fixed
suse enterprise server 12 SP3
2.9.4-46.99.1
fixed
suse enterprise server 15 SP4
2.9.14-150400.5.55.1
fixed
suse enterprise server 15 SP7
2.12.10-150700.4.11.1
fixed
python-libxml2
suse enterprise server 12 SP3
2.9.4-46.99.1
fixed
python3-libxml2
suse enterprise desktop 15 SP7
2.12.10-150700.4.11.1
fixed
suse enterprise sap 15 SP7
2.12.10-150700.4.11.1
fixed
suse enterprise server 15 SP4
2.9.14-150400.5.55.1
fixed
suse enterprise server 15 SP7
2.12.10-150700.4.11.1
fixed
python311-libxml2
suse enterprise server 15 SP4
2.9.14-150400.5.55.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
libxml2
Amazon Linux 2
0:2.9.1-6.amzn2.5.22
fixed
Amazon Linux 2023
0:2.10.4-1.amzn2023.0.16
fixed
libxml2-debuginfo
Amazon Linux 2
0:2.9.1-6.amzn2.5.22
fixed
Amazon Linux 2023
0:2.10.4-1.amzn2023.0.16
fixed
libxml2-debugsource
Amazon Linux 2023
0:2.10.4-1.amzn2023.0.16
fixed
libxml2-devel
Amazon Linux 2
0:2.9.1-6.amzn2.5.22
fixed
Amazon Linux 2023
0:2.10.4-1.amzn2023.0.16
fixed
libxml2-python
Amazon Linux 2
0:2.9.1-6.amzn2.5.22
fixed
libxml2-static
Amazon Linux 2
0:2.9.1-6.amzn2.5.22
fixed
Amazon Linux 2023
0:2.10.4-1.amzn2023.0.16
fixed
python3-libxml2
Amazon Linux 2023
0:2.10.4-1.amzn2023.0.16
fixed
python3-libxml2-debuginfo
Amazon Linux 2023
0:2.10.4-1.amzn2023.0.16
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
libxml2
Azure Linux 3.0
0:2.11.5-9.azl3
fixed
CBL-Mariner 2.0
0:2.10.4-10.cm2
fixed