CVE-2026-0989
published 2026-01-15CVE-2026-0989: A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion…
PriorityP415low3.7CVSS 3.1
AVNACHPRNUINSUCNINAL
EPSS
0.42%
33.7th percentile
A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libxml2 | < libxml2 2.15.2+dfsg-0.1 (forky) | libxml2 2.15.2+dfsg-0.1 (forky) |
| ibm | aix | — | — |
| ibm | aix | >= 7.2.5 < 7.2.5.12 | 7.2.5.12 |
| ibm | aix | >= 7.3.2 < 7.3.3.3 | 7.3.3.3 |
| ibm | vios | — | — |
| ibm | vios | >= 4.1.0 < 4.1.1.30 | 4.1.1.30 |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | openshift_container_platform | — | — |
| xmlsoft | libxml2 | < 2.15.2 | 2.15.2 |
| xmlsoft | libxml2 | >= 0 < 2.15.2+dfsg-0.1 | 2.15.2+dfsg-0.1 |
| xmlsoft | libxml2 | >= 0 < 2.9.13+dfsg-1ubuntu0.11 | 2.9.13+dfsg-1ubuntu0.11 |
| xmlsoft | libxml2 | >= 0 < 2.9.14+dfsg-1.3ubuntu3.7 | 2.9.14+dfsg-1.3ubuntu3.7 |
| xmlsoft | libxml2 | >= 0 < 2.14.5+dfsg-0.2ubuntu0.1 | 2.14.5+dfsg-0.2ubuntu0.1 |
| xmlsoft | libxml2 | >= 0 < 2.9.1+dfsg1-3ubuntu4.13+esm11 | 2.9.1+dfsg1-3ubuntu4.13+esm11 |
| xmlsoft | libxml2 | >= 0 < 2.9.3+dfsg1-1ubuntu0.7+esm12 | 2.9.3+dfsg1-1ubuntu0.7+esm12 |
| xmlsoft | libxml2 | >= 0 < 2.9.4+dfsg1-6.1ubuntu1.9+esm7 | 2.9.4+dfsg1-6.1ubuntu1.9+esm7 |
| xmlsoft | libxml2 | >= 0 < 2.9.10+dfsg-5ubuntu0.20.04.10+esm4 | 2.9.10+dfsg-5ubuntu0.20.04.10+esm4 |
CVSS provenance
nvdv3.13.7LOWCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
osv4.8MEDIUM
vendor_debian3.7LOW
vendor_redhat3.7LOW
vendor_ubuntu3.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
libxml2 vulnerabilities
osv·2026-01-22·CVSS 4.8
CVE-2025-8732 [MEDIUM] libxml2 vulnerabilities
libxml2 vulnerabilities
It was discovered that libxml2 incorrectly handled maliciously crafted SGML
catalog files. An attacker could possibly use this issue to cause libxml2
to consume excessive resources, leading to a denial of service.
(CVE-2025-8732)
It was discovered that libxml2 incorrectly handled recursive include
directories with the RelaxNG parser. An attacker could possibly use this
issue to cause libxml2 to consume excessive resources, leading to a denial
of service. (CVE-2026-0989)
Nick Wellnhofer discovered that libxml2 incorrectly parsed catalogs with
self-referencing URI delegates. An attacker could possibly use this issue
to cause libxml2 to consume excessive resources, leading to a denial of
service. (CVE-2026-0990)
Nick Wellnhofer discovered that libxml2 inefficiently
GHSA
GHSA-3xfm-x84x-qwwq: A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled
ghsa_unreviewed·2026-01-15
CVE-2026-0989 [LOW] CWE-674 GHSA-3xfm-x84x-qwwq: A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled
A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.
OSV
CVE-2026-0989: A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled
osv·2026-01-15·CVSS 3.7
CVE-2026-0989 [LOW] CVE-2026-0989: A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled
A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.
Ubuntu
libxml2 vulnerabilities
vendor_ubuntu·2026-01-22·CVSS 3.3
CVE-2026-0990 [LOW] libxml2 vulnerabilities
Title: libxml2 vulnerabilities
Summary: Several security issues were fixed in libxml2.
It was discovered that libxml2 incorrectly handled maliciously crafted SGML
catalog files. An attacker could possibly use this issue to cause libxml2
to consume excessive resources, leading to a denial of service.
(CVE-2025-8732)
It was discovered that libxml2 incorrectly handled recursive include
directories with the RelaxNG parser. An attacker could possibly use this
issue to cause libxml2 to consume excessive resources, leading to a denial
of service. (CVE-2026-0989)
Nick Wellnhofer discovered that libxml2 incorrectly parsed catalogs with
self-referencing URI delegates. An attacker could possibly use this issue
to cause libxml2 to consume excessive resources, leading to a denial of
service. (CVE-2
Red Hat
libxml2: Unbounded RelaxNG Include Recursion Leading to Stack Overflow
vendor_redhat·2026-01-15·CVSS 3.7
CVE-2026-0989 [LOW] CWE-674 libxml2: Unbounded RelaxNG Include Recursion Leading to Stack Overflow
libxml2: Unbounded RelaxNG Include Recursion Leading to Stack Overflow
A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.
A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crash
Debian
CVE-2026-0989: libxml2 - A flaw was identified in the RelaxNG parser of libxml2 related to how external s...
vendor_debian·2026·CVSS 3.7
CVE-2026-0989 [LOW] CVE-2026-0989: libxml2 - A flaw was identified in the RelaxNG parser of libxml2 related to how external s...
A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 2.15.2+dfsg-0.1)
sid: resolved (fixed in 2.15.2+dfsg-0.1)
trixie: open
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-0989 qt5-qtwebengine: Unbounded RelaxNG Include Recursion Leading to Stack Overflow [fedora-42]
bugzilla·2026-01-15·CVSS 3.7
CVE-2026-0989 [LOW] CVE-2026-0989 qt5-qtwebengine: Unbounded RelaxNG Include Recursion Leading to Stack Overflow [fedora-42]
CVE-2026-0989 qt5-qtwebengine: Unbounded RelaxNG Include Recursion Leading to Stack Overflow [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained v
Bugzilla
CVE-2026-0989 libxml2: Unbounded RelaxNG Include Recursion Leading to Stack Overflow [fedora-42]
bugzilla·2026-01-15·CVSS 3.7
CVE-2026-0989 [LOW] CVE-2026-0989 libxml2: Unbounded RelaxNG Include Recursion Leading to Stack Overflow [fedora-42]
CVE-2026-0989 libxml2: Unbounded RelaxNG Include Recursion Leading to Stack Overflow [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version,
Bugzilla
CVE-2026-0989 libxml2: Unbounded RelaxNG Include Recursion Leading to Stack Overflow
bugzilla·2026-01-15·CVSS 3.7
CVE-2026-0989 [LOW] CVE-2026-0989 libxml2: Unbounded RelaxNG Include Recursion Leading to Stack Overflow
CVE-2026-0989 libxml2: Unbounded RelaxNG Include Recursion Leading to Stack Overflow
Uncontrolled recursion vulnerability in the RelaxNG include handling logic of the libxml2 XML parsing library. The issue arises from the absence of limits on recursive directive resolution. When a deeply nested chain of included RelaxNG schema files is processed, the parser enters unbounded recursion, eventually exhausting the system call stack. This results in a stack overflow and application crash. Exploitation requires attacker-controlled schema input and primarily impacts availability by causing a denial of service.
Bugzilla
CVE-2026-0989 mingw-libxml2: Unbounded RelaxNG Include Recursion Leading to Stack Overflow [fedora-42]
bugzilla·2026-01-15·CVSS 3.7
CVE-2026-0989 [LOW] CVE-2026-0989 mingw-libxml2: Unbounded RelaxNG Include Recursion Leading to Stack Overflow [fedora-42]
CVE-2026-0989 mingw-libxml2: Unbounded RelaxNG Include Recursion Leading to Stack Overflow [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained ver
Bugzilla
CVE-2026-0989 pcem: Unbounded RelaxNG Include Recursion Leading to Stack Overflow [fedora-42]
bugzilla·2026-01-15·CVSS 3.7
CVE-2026-0989 [LOW] CVE-2026-0989 pcem: Unbounded RelaxNG Include Recursion Leading to Stack Overflow [fedora-42]
CVE-2026-0989 pcem: Unbounded RelaxNG Include Recursion Leading to Stack Overflow [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, cha
Wiz
CVE-2026-0989 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.7
CVE-2026-0989 [LOW] CVE-2026-0989 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0989 :
Linux Debian vulnerability analysis and mitigation
A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.
Source : NVD
## 3.7
Score
Published January 15, 2026
Severity LOW
CNA Score 3.7
Affected Technologies
Linux Debian
Linux Ubuntu
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.5
Exploitation Probability (EPSS) N/A
Affected packages and
2026-01-15
Published