NIXPKGS-2026-0029

GitHub issue published on 18 Jan 2026

Permalink CVE-2026-0990

updated 1 month ago by @LeSuisse Activity log

Created automatic suggestion 1 month ago
@LeSuisse removed
8 packages
- tests.pkg-config.defaultPkgConfigPackages."libxml-2.0"
- perl540Packages.AlienLibxml2
- perl538Packages.AlienLibxml2
- python313Packages.libxml2
- python312Packages.libxml2
- perlPackages.AlienLibxml2
- sbclPackages.cl-libxml2
- libxml2Python
1 month ago
@LeSuisse accepted 1 month ago
@LeSuisse published on GitHub 1 month ago

Libxml2: libxml2: denial of service via uncontrolled recursion in xml catalog processing

A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.

Affected products

rhcos

libxml2

Matching in nixpkgs

pkgs.libxml2

XML parsing library for C

nixos-unstable 2.15.1
- nixpkgs-unstable 2.15.1
- nixos-unstable-small 2.15.1

pkgs.libxml2_13

XML parsing library for C

nixos-unstable 2.13.8
- nixpkgs-unstable 2.13.8
- nixos-unstable-small 2.13.8

Package maintainers

@jtojnar Jan Tojnar <jtojnar@gmail.com>
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>

Upstream issue: https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018
Upstream patch: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1961208e958ca22f80a0b4e4c9d71cfa050aa982

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0029

Affected products

Matching in nixpkgs

pkgs.libxml2

pkgs.libxml2_13

Package maintainers