CVE-2026-0990
published 2026-01-15CVE-2026-0990: A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML…
PriorityP335medium5.9CVSS 3.1
AVNACHPRNUINSUCNINAH
EPSS
0.73%
49.4th percentile
A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libxml2 | < libxml2 2.15.2+dfsg-0.1 (forky) | libxml2 2.15.2+dfsg-0.1 (forky) |
| ibm | aix | — | — |
| ibm | aix | >= 7.2.5 < 7.2.5.12 | 7.2.5.12 |
| ibm | aix | >= 7.3.2 < 7.3.3.3 | 7.3.3.3 |
| ibm | vios | — | — |
| ibm | vios | >= 4.1.0 < 4.1.1.30 | 4.1.1.30 |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | openshift_container_platform | — | — |
| xmlsoft | libxml2 | < 2.15.2 | 2.15.2 |
| xmlsoft | libxml2 | >= 0 < 2.15.2+dfsg-0.1 | 2.15.2+dfsg-0.1 |
| xmlsoft | libxml2 | >= 0 < 2.9.13+dfsg-1ubuntu0.11 | 2.9.13+dfsg-1ubuntu0.11 |
| xmlsoft | libxml2 | >= 0 < 2.9.14+dfsg-1.3ubuntu3.7 | 2.9.14+dfsg-1.3ubuntu3.7 |
| xmlsoft | libxml2 | >= 0 < 2.14.5+dfsg-0.2ubuntu0.1 | 2.14.5+dfsg-0.2ubuntu0.1 |
| xmlsoft | libxml2 | >= 0 < 2.9.1+dfsg1-3ubuntu4.13+esm11 | 2.9.1+dfsg1-3ubuntu4.13+esm11 |
| xmlsoft | libxml2 | >= 0 < 2.9.3+dfsg1-1ubuntu0.7+esm12 | 2.9.3+dfsg1-1ubuntu0.7+esm12 |
| xmlsoft | libxml2 | >= 0 < 2.9.4+dfsg1-6.1ubuntu1.9+esm7 | 2.9.4+dfsg1-6.1ubuntu1.9+esm7 |
| xmlsoft | libxml2 | >= 0 < 2.9.10+dfsg-5ubuntu0.20.04.10+esm4 | 2.9.10+dfsg-5ubuntu0.20.04.10+esm4 |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
osv5.9MEDIUM
vendor_debian5.9MEDIUM
vendor_redhat5.9MEDIUM
vendor_ubuntu3.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
libxml2 vulnerabilities
osv·2026-01-22·CVSS 4.8
CVE-2025-8732 [MEDIUM] libxml2 vulnerabilities
libxml2 vulnerabilities
It was discovered that libxml2 incorrectly handled maliciously crafted SGML
catalog files. An attacker could possibly use this issue to cause libxml2
to consume excessive resources, leading to a denial of service.
(CVE-2025-8732)
It was discovered that libxml2 incorrectly handled recursive include
directories with the RelaxNG parser. An attacker could possibly use this
issue to cause libxml2 to consume excessive resources, leading to a denial
of service. (CVE-2026-0989)
Nick Wellnhofer discovered that libxml2 incorrectly parsed catalogs with
self-referencing URI delegates. An attacker could possibly use this issue
to cause libxml2 to consume excessive resources, leading to a denial of
service. (CVE-2026-0990)
Nick Wellnhofer discovered that libxml2 inefficiently
OSV
CVE-2026-0990: A flaw was found in libxml2, an XML parsing library
osv·2026-01-15·CVSS 5.9
CVE-2026-0990 [MEDIUM] CVE-2026-0990: A flaw was found in libxml2, an XML parsing library
A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.
GHSA
GHSA-2j3v-cxmf-cmp7: A flaw was found in libxml2, an XML parsing library
ghsa_unreviewed·2026-01-15
CVE-2026-0990 [MEDIUM] CWE-674 GHSA-2j3v-cxmf-cmp7: A flaw was found in libxml2, an XML parsing library
A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.
Ubuntu
libxml2 vulnerabilities
vendor_ubuntu·2026-01-22·CVSS 3.3
CVE-2026-0990 [LOW] libxml2 vulnerabilities
Title: libxml2 vulnerabilities
Summary: Several security issues were fixed in libxml2.
It was discovered that libxml2 incorrectly handled maliciously crafted SGML
catalog files. An attacker could possibly use this issue to cause libxml2
to consume excessive resources, leading to a denial of service.
(CVE-2025-8732)
It was discovered that libxml2 incorrectly handled recursive include
directories with the RelaxNG parser. An attacker could possibly use this
issue to cause libxml2 to consume excessive resources, leading to a denial
of service. (CVE-2026-0989)
Nick Wellnhofer discovered that libxml2 incorrectly parsed catalogs with
self-referencing URI delegates. An attacker could possibly use this issue
to cause libxml2 to consume excessive resources, leading to a denial of
service. (CVE-2
Red Hat
libxml2: libxml2: Denial of Service via uncontrolled recursion in XML catalog processing
vendor_redhat·2026-01-15·CVSS 5.9
CVE-2026-0990 [MEDIUM] CWE-674 libxml2: libxml2: Denial of Service via uncontrolled recursion in XML catalog processing
libxml2: libxml2: Denial of Service via uncontrolled recursion in XML catalog processing
A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.
A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that referenc
Debian
CVE-2026-0990: libxml2 - A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion...
vendor_debian·2026·CVSS 5.9
CVE-2026-0990 [MEDIUM] CVE-2026-0990: libxml2 - A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion...
A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 2.15.2+dfsg-0.1)
sid: resolved (fixed in 2.15.2+dfsg-0.1)
trixie: open
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-0990 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-0990 [MEDIUM] CVE-2026-0990 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0990 :
CBL Mariner vulnerability analysis and mitigation
A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.
Source : NVD
## 5.9
Score
Published January 15, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
CBL Mariner
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV
Bugzilla
CVE-2026-0990 mingw-libxml2: libxml2: Denial of Service via uncontrolled recursion in XML catalog processing [fedora-42]
bugzilla·2026-01-15·CVSS 5.9
CVE-2026-0990 [MEDIUM] CVE-2026-0990 mingw-libxml2: libxml2: Denial of Service via uncontrolled recursion in XML catalog processing [fedora-42]
CVE-2026-0990 mingw-libxml2: libxml2: Denial of Service via uncontrolled recursion in XML catalog processing [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a curren
Bugzilla
CVE-2026-0990 libxml2: libxml2: Denial of Service via uncontrolled recursion in XML catalog processing [fedora-42]
bugzilla·2026-01-15·CVSS 5.9
CVE-2026-0990 [MEDIUM] CVE-2026-0990 libxml2: libxml2: Denial of Service via uncontrolled recursion in XML catalog processing [fedora-42]
CVE-2026-0990 libxml2: libxml2: Denial of Service via uncontrolled recursion in XML catalog processing [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently ma
Bugzilla
CVE-2026-0990 qt5-qtwebengine: libxml2: Denial of Service via uncontrolled recursion in XML catalog processing [fedora-42]
bugzilla·2026-01-15·CVSS 5.9
CVE-2026-0990 [MEDIUM] CVE-2026-0990 qt5-qtwebengine: libxml2: Denial of Service via uncontrolled recursion in XML catalog processing [fedora-42]
CVE-2026-0990 qt5-qtwebengine: libxml2: Denial of Service via uncontrolled recursion in XML catalog processing [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a curr
Bugzilla
CVE-2026-0990 libxml2: libxml2: Denial of Service via uncontrolled recursion in XML catalog processing
bugzilla·2026-01-15·CVSS 5.9
CVE-2026-0990 [MEDIUM] CVE-2026-0990 libxml2: libxml2: Denial of Service via uncontrolled recursion in XML catalog processing
CVE-2026-0990 libxml2: libxml2: Denial of Service via uncontrolled recursion in XML catalog processing
Uncontrolled recursion vulnerability in the xmlCatalogXMLResolveURI function of the libxml2 XML parsing library. The issue occurs when an XML catalog contains a delegate URI entry that references the catalog itself. During entity resolution, the function recursively resolves the same catalog entry without detecting the cyclic reference. This results in infinite recursion and eventual call stack exhaustion, leading to a segmentation fault. Exploitation is configuration-dependent and primarily impacts availability by allowing an attacker to crash affected applications.
Bugzilla
CVE-2026-0990 pcem: libxml2: Denial of Service via uncontrolled recursion in XML catalog processing [fedora-42]
bugzilla·2026-01-15·CVSS 5.9
CVE-2026-0990 [MEDIUM] CVE-2026-0990 pcem: libxml2: Denial of Service via uncontrolled recursion in XML catalog processing [fedora-42]
CVE-2026-0990 pcem: libxml2: Denial of Service via uncontrolled recursion in XML catalog processing [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maint
2026-01-15
Published