CVE-2026-1757

EUVD-2026-5101

02.02.2026, 13:15

A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.2 MEDIUM	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

libxml2

bookworm	unimportant
bookworm (security)	unimportant
bullseye	unimportant
bullseye (security)	unimportant
forky	2.15.2+dfsg-0.1 fixed
sid	2.15.2+dfsg-0.1 fixed
trixie	unimportant
trixie (security)	unimportant

openSUSE / SLES Releases

openSUSE Product

Release

libxml2-2

suse enterprise desktop 15 SP7	2.12.10-150700.4.11.1 fixed
suse enterprise sap 15 SP7	2.12.10-150700.4.11.1 fixed
suse enterprise server 12 SP3	2.9.4-46.99.1 fixed
suse enterprise server 15 SP4	2.9.14-150400.5.55.1 fixed
suse enterprise server 15 SP7	2.12.10-150700.4.11.1 fixed

libxml2-2-32bit

suse enterprise desktop 15 SP7	2.12.10-150700.4.11.1 fixed
suse enterprise sap 15 SP7	2.12.10-150700.4.11.1 fixed
suse enterprise server 12 SP3	2.9.4-46.99.1 fixed
suse enterprise server 15 SP4	2.9.14-150400.5.55.1 fixed
suse enterprise server 15 SP7	2.12.10-150700.4.11.1 fixed

libxml2-devel

suse enterprise desktop 15 SP7	2.12.10-150700.4.11.1 fixed
suse enterprise sap 15 SP7	2.12.10-150700.4.11.1 fixed
suse enterprise server 15 SP4	2.9.14-150400.5.55.1 fixed
suse enterprise server 15 SP7	2.12.10-150700.4.11.1 fixed

libxml2-doc

suse enterprise server 12 SP3

2.9.4-46.99.1

fixed

libxml2-tools

suse enterprise desktop 15 SP7	2.12.10-150700.4.11.1 fixed
suse enterprise sap 15 SP7	2.12.10-150700.4.11.1 fixed
suse enterprise server 12 SP3	2.9.4-46.99.1 fixed
suse enterprise server 15 SP4	2.9.14-150400.5.55.1 fixed
suse enterprise server 15 SP7	2.12.10-150700.4.11.1 fixed

python-libxml2

suse enterprise server 12 SP3

2.9.4-46.99.1

fixed

python3-libxml2

suse enterprise desktop 15 SP7	2.12.10-150700.4.11.1 fixed
suse enterprise sap 15 SP7	2.12.10-150700.4.11.1 fixed
suse enterprise server 15 SP4	2.9.14-150400.5.55.1 fixed
suse enterprise server 15 SP7	2.12.10-150700.4.11.1 fixed

python311-libxml2

suse enterprise server 15 SP4

2.9.14-150400.5.55.1

fixed

Common Weakness Enumeration

CWE-401 - Missing Release of Memory after Effective Lifetime
The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

References

https://access.redhat.com/errata/RHSA-2026:7519

https://access.redhat.com/security/cve/CVE-2026-1757

https://bugzilla.redhat.com/show_bug.cgi?id=2435940

https://gitlab.gnome.org/GNOME/libxml2/-/issues/1009