NIXPKGS-2026-0015

published on 16 Jan 2026

CVE-2026-0989

updated 6 days ago by @LeSuisse Activity log

Created automatic suggestion 6 days, 13 hours ago
@LeSuisse removed
8 packages
- libxml2Python
- sbclPackages.cl-libxml2
- perlPackages.AlienLibxml2
- python312Packages.libxml2
- python313Packages.libxml2
- perl538Packages.AlienLibxml2
- perl540Packages.AlienLibxml2
- tests.pkg-config.defaultPkgConfigPackages."libxml-2.0"
6 days ago
@LeSuisse accepted as draft 6 days ago
@LeSuisse published on GitHub 6 days ago

Libxml2: unbounded relaxng include recursion leading to stack overflow

A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.

Affected products

rhcos

libxml2

Matching in nixpkgs

pkgs.libxml2

XML parsing library for C

nixos-unstable 2.15.1
- nixpkgs-unstable 2.15.1
- nixos-unstable-small 2.15.1
nixos-25.05 2.13.8
- nixos-25.05-small 2.13.8
- nixpkgs-25.05-darwin 2.13.8

pkgs.libxml2_13

XML parsing library for C

nixos-unstable 2.13.8
- nixpkgs-unstable 2.13.8
- nixos-unstable-small 2.13.8

Package maintainers: 7

@jtojnar Jan Tojnar <jtojnar@gmail.com>
@hraban Hraban Luyat <hraban@0brg.net>
@nagy Daniel Nagy <danielnagy@posteo.de>
@lukego Luke Gorrie <luke@snabb.co>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@Uthar Kasper Gałkowski <galkowskikasper@gmail.com>
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0015

Affected products

Matching in nixpkgs

pkgs.libxml2

pkgs.libxml2_13

Package maintainers: 7