NIXPKGS-2026-0014

published on 16 Jan 2026

Permalink CVE-2026-0992

updated 1 month ago by @LeSuisse Activity log

Created automatic suggestion 1 month ago
@LeSuisse removed
8 packages
- libxml2Python
- sbclPackages.cl-libxml2
- perlPackages.AlienLibxml2
- python312Packages.libxml2
- python313Packages.libxml2
- perl538Packages.AlienLibxml2
- perl540Packages.AlienLibxml2
- tests.pkg-config.defaultPkgConfigPackages."libxml-2.0"
1 month ago
@LeSuisse accepted 1 month ago
@LeSuisse published on GitHub 1 month ago

Libxml2: libxml2: denial of service via crafted xml catalogs

A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.

Affected products

rhcos

libxml2

Matching in nixpkgs

pkgs.libxml2

XML parsing library for C

nixos-unstable 2.15.1
- nixpkgs-unstable 2.15.1
- nixos-unstable-small 2.15.1

pkgs.libxml2_13

XML parsing library for C

nixos-unstable 2.13.8
- nixpkgs-unstable 2.13.8
- nixos-unstable-small 2.13.8

Package maintainers

@jtojnar Jan Tojnar <jtojnar@gmail.com>
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>

Fix MR: https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/368

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0014

Affected products

Matching in nixpkgs

pkgs.libxml2

pkgs.libxml2_13

Package maintainers