CVE-2026-0989 — Uncontrolled Recursion in Libxml2

CWE-674 — Uncontrolled Recursion8 documents7 sources

Severity

3.7LOWNVD

OSV4.8

EPSS

0.0%

top 94.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Xmlsoft Libxml2 Debian Libxml2

Timeline

PublishedJan 15

Latest updateJan 22

Description

A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 2.2 | Impact: 1.4

Affected Packages3 packages

▶debiandebian/libxml2< libxml2 2.15.2+dfsg-0.1 (forky)

▶Debianxmlsoft/libxml2< 2.15.2+dfsg-0.1

▶Ubuntuxmlsoft/libxml2< 2.9.13+dfsg-1ubuntu0.11+6

🔴Vulnerability Details

OSV

libxml2 vulnerabilities↗2026-01-22

▶

GHSA

GHSA-3xfm-x84x-qwwq: A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled↗2026-01-15

▶

OSV

CVE-2026-0989: A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled↗2026-01-15

▶

📋Vendor Advisories

Ubuntu

libxml2 vulnerabilities↗2026-01-22

▶

Red Hat

libxml2: Unbounded RelaxNG Include Recursion Leading to Stack Overflow↗2026-01-15

▶

Debian

CVE-2026-0989: libxml2 - A flaw was identified in the RelaxNG parser of libxml2 related to how external s...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-0989 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶