NIXPKGS-2026-0029
GitHub issue
published on
Permalink
CVE-2026-0990
5.9 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): HIGH
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): NONE
- Availability impact (A): HIGH
by @LeSuisse Activity log
- Created automatic suggestion
- @LeSuisse removed package tests.pkg-config.defaultPkgConfigPackages."libxml-2.0"
- @LeSuisse removed package perl540Packages.AlienLibxml2
- @LeSuisse removed package perl538Packages.AlienLibxml2
- @LeSuisse removed package python313Packages.libxml2
- @LeSuisse removed package python312Packages.libxml2
- @LeSuisse removed package perlPackages.AlienLibxml2
- @LeSuisse removed package sbclPackages.cl-libxml2
- @LeSuisse removed package libxml2Python
- @LeSuisse accepted
- @LeSuisse published on GitHub
Libxml2: libxml2: denial of service via uncontrolled recursion in xml catalog processing
A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.
References
Affected products
rhcos
libxml2
Package maintainers
-
@jtojnar Jan Tojnar <jtojnar@gmail.com>
-
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>