NIXPKGS-2026-0015

published on 16 Jan 2026

Permalink CVE-2026-0989

updated 1 month ago by @LeSuisse Activity log

Created automatic suggestion 1 month ago
@LeSuisse removed
8 packages
- libxml2Python
- sbclPackages.cl-libxml2
- perlPackages.AlienLibxml2
- python312Packages.libxml2
- python313Packages.libxml2
- perl538Packages.AlienLibxml2
- perl540Packages.AlienLibxml2
- tests.pkg-config.defaultPkgConfigPackages."libxml-2.0"
1 month ago
@LeSuisse accepted 1 month ago
@LeSuisse published on GitHub 1 month ago

Libxml2: unbounded relaxng include recursion leading to stack overflow

A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.

Affected products

rhcos

libxml2

Matching in nixpkgs

pkgs.libxml2

XML parsing library for C

nixos-unstable 2.15.1
- nixpkgs-unstable 2.15.1
- nixos-unstable-small 2.15.1

pkgs.libxml2_13

XML parsing library for C

nixos-unstable 2.13.8
- nixpkgs-unstable 2.13.8
- nixos-unstable-small 2.13.8

Package maintainers

@jtojnar Jan Tojnar <jtojnar@gmail.com>
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>

Fix MR: https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0015

Affected products

Matching in nixpkgs

pkgs.libxml2

pkgs.libxml2_13

Package maintainers