CVE-2026-11979

EUVD-2026-40092

29.06.2026, 14:16

libxml2 is vulnerable to multiple stack-based buffer overflows in the xmlcatalog utility when running in --shell mode. The usershell() function processes user input using fixed-size stack buffers without proper bounds checking.
By supplying an overly long input line, an attacker can overflow internal buffers (command, arg, and argv) during input parsing. This results in memory corruption within the stack frame.
Successful exploitation may cause a crash or potentially allow arbitrary code execution in the context of the xmlcatalog process.

This issue has been fixed in the commit c2e233fc.

NOTE:
The maintainers of this project did not agree that this issue is a vulnerability and considered it a bug.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
CERT-PL	CNA	1.8 LOW	LOCAL	LOW	NONE	CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:L/SI:L/SA:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
xmlsoft	libxml2	𝑥 ≤ 2.15.3	CNA

Debian Releases

Debian Product

Codename

libxml2

bookworm	unimportant
bookworm (security)	unimportant
bullseye	unimportant
bullseye (security)	unimportant
forky	unimportant
sid	unimportant
trixie	unimportant
trixie (security)	unimportant

Common Weakness Enumeration

CWE-121 - Stack-based Buffer Overflow
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

References

https://cert.pl/en/posts/2026/06/CVE-2026-11979

https://gitlab.gnome.org/GNOME/libxml2/-/commit/c2e233fc1b341685fc99621b2768b503f777a72e