CVE-2026-0992
published 2026-01-15CVE-2026-0992: A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated…
PriorityP413low2.9CVSS 3.1
AVLACHPRNUINSUCNINAL
EPSS
0.31%
22.5th percentile
A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libxml2 | < libxml2 2.15.2+dfsg-0.1 (forky) | libxml2 2.15.2+dfsg-0.1 (forky) |
| ibm | aix | — | — |
| ibm | aix | >= 7.2.5 < 7.2.5.12 | 7.2.5.12 |
| ibm | aix | >= 7.3.2 < 7.3.3.3 | 7.3.3.3 |
| ibm | vios | — | — |
| ibm | vios | >= 4.1.0 < 4.1.1.30 | 4.1.1.30 |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | openshift_container_platform | — | — |
| xmlsoft | libxml2 | < 2.15.2 | 2.15.2 |
| xmlsoft | libxml2 | >= 0 < 2.15.2+dfsg-0.1 | 2.15.2+dfsg-0.1 |
| xmlsoft | libxml2 | >= 0 < 2.9.13+dfsg-1ubuntu0.11 | 2.9.13+dfsg-1ubuntu0.11 |
| xmlsoft | libxml2 | >= 0 < 2.9.14+dfsg-1.3ubuntu3.7 | 2.9.14+dfsg-1.3ubuntu3.7 |
| xmlsoft | libxml2 | >= 0 < 2.14.5+dfsg-0.2ubuntu0.1 | 2.14.5+dfsg-0.2ubuntu0.1 |
| xmlsoft | libxml2 | >= 0 < 2.9.1+dfsg1-3ubuntu4.13+esm11 | 2.9.1+dfsg1-3ubuntu4.13+esm11 |
| xmlsoft | libxml2 | >= 0 < 2.9.3+dfsg1-1ubuntu0.7+esm12 | 2.9.3+dfsg1-1ubuntu0.7+esm12 |
| xmlsoft | libxml2 | >= 0 < 2.9.4+dfsg1-6.1ubuntu1.9+esm7 | 2.9.4+dfsg1-6.1ubuntu1.9+esm7 |
| xmlsoft | libxml2 | >= 0 < 2.9.10+dfsg-5ubuntu0.20.04.10+esm4 | 2.9.10+dfsg-5ubuntu0.20.04.10+esm4 |
CVSS provenance
nvdv3.12.9LOWCVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
osv4.8MEDIUM
vendor_ubuntu3.3LOW
vendor_debian2.9LOW
vendor_redhat2.9LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
libxml2 vulnerabilities
osv·2026-01-22·CVSS 4.8
CVE-2025-8732 [MEDIUM] libxml2 vulnerabilities
libxml2 vulnerabilities
It was discovered that libxml2 incorrectly handled maliciously crafted SGML
catalog files. An attacker could possibly use this issue to cause libxml2
to consume excessive resources, leading to a denial of service.
(CVE-2025-8732)
It was discovered that libxml2 incorrectly handled recursive include
directories with the RelaxNG parser. An attacker could possibly use this
issue to cause libxml2 to consume excessive resources, leading to a denial
of service. (CVE-2026-0989)
Nick Wellnhofer discovered that libxml2 incorrectly parsed catalogs with
self-referencing URI delegates. An attacker could possibly use this issue
to cause libxml2 to consume excessive resources, leading to a denial of
service. (CVE-2026-0990)
Nick Wellnhofer discovered that libxml2 inefficiently
OSV
CVE-2026-0992: A flaw was found in the libxml2 library
osv·2026-01-15·CVSS 2.9
CVE-2026-0992 [LOW] CVE-2026-0992: A flaw was found in the libxml2 library
A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.
GHSA
GHSA-cjqj-7q2q-jx9c: A flaw was found in the libxml2 library
ghsa_unreviewed·2026-01-15
CVE-2026-0992 [LOW] CWE-400 GHSA-cjqj-7q2q-jx9c: A flaw was found in the libxml2 library
A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.
Ubuntu
libxml2 vulnerabilities
vendor_ubuntu·2026-01-22·CVSS 3.3
CVE-2026-0990 [LOW] libxml2 vulnerabilities
Title: libxml2 vulnerabilities
Summary: Several security issues were fixed in libxml2.
It was discovered that libxml2 incorrectly handled maliciously crafted SGML
catalog files. An attacker could possibly use this issue to cause libxml2
to consume excessive resources, leading to a denial of service.
(CVE-2025-8732)
It was discovered that libxml2 incorrectly handled recursive include
directories with the RelaxNG parser. An attacker could possibly use this
issue to cause libxml2 to consume excessive resources, leading to a denial
of service. (CVE-2026-0989)
Nick Wellnhofer discovered that libxml2 incorrectly parsed catalogs with
self-referencing URI delegates. An attacker could possibly use this issue
to cause libxml2 to consume excessive resources, leading to a denial of
service. (CVE-2
Red Hat
libxml2: libxml2: Denial of Service via crafted XML catalogs
vendor_redhat·2026-01-15·CVSS 2.9
CVE-2026-0992 [LOW] CWE-400 libxml2: libxml2: Denial of Service via crafted XML catalogs
libxml2: libxml2: Denial of Service via crafted XML catalogs
A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.
A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser
Debian
CVE-2026-0992: libxml2 - A flaw was found in the libxml2 library. This uncontrolled resource consumption ...
vendor_debian·2026·CVSS 2.9
CVE-2026-0992 [LOW] CVE-2026-0992: libxml2 - A flaw was found in the libxml2 library. This uncontrolled resource consumption ...
A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 2.15.2+dfsg-0.1)
sid: resolved (fixed in 2.15.2+dfsg-0.1)
trixie: open
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-0992 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.9
CVE-2026-0992 [LOW] CVE-2026-0992 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0992 :
CBL Mariner vulnerability analysis and mitigation
A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.
Source : NVD
## 2.9
Score
Published January 15, 2026
Severity LOW
CNA Score 2.9
Affected Technologies
CBL Mariner
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Bugzilla
CVE-2026-0992 qt5-qtwebengine: libxml2: Denial of Service via crafted XML catalogs [fedora-42]
bugzilla·2026-01-15·CVSS 2.9
CVE-2026-0992 [LOW] CVE-2026-0992 qt5-qtwebengine: libxml2: Denial of Service via crafted XML catalogs [fedora-42]
CVE-2026-0992 qt5-qtwebengine: libxml2: Denial of Service via crafted XML catalogs [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, ch
Bugzilla
CVE-2026-0992 pcem: libxml2: Denial of Service via crafted XML catalogs [fedora-42]
bugzilla·2026-01-15·CVSS 2.9
CVE-2026-0992 [LOW] CVE-2026-0992 pcem: libxml2: Denial of Service via crafted XML catalogs [fedora-42]
CVE-2026-0992 pcem: libxml2: Denial of Service via crafted XML catalogs [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'v
Bugzilla
CVE-2026-0992 libxml2: libxml2: Denial of Service via crafted XML catalogs
bugzilla·2026-01-15·CVSS 2.9
CVE-2026-0992 [LOW] CVE-2026-0992 libxml2: libxml2: Denial of Service via crafted XML catalogs
CVE-2026-0992 libxml2: libxml2: Denial of Service via crafted XML catalogs
Uncontrolled resource consumption vulnerability in the XML catalog processing logic of the libxml2 library. The issue arises when handling chains of XML catalogs that contain repeated elements pointing to the same downstream catalog. During entity resolution, the parser redundantly traverses catalog chains, causing exponential growth in processing time as depth increases. This can be exploited by supplying crafted catalogs to cause excessive CPU consumption and degrade application availability, resulting in a denial-of-service condition.
Bugzilla
CVE-2026-0992 libxml2: libxml2: Denial of Service via crafted XML catalogs [fedora-42]
bugzilla·2026-01-15·CVSS 2.9
CVE-2026-0992 [LOW] CVE-2026-0992 libxml2: libxml2: Denial of Service via crafted XML catalogs [fedora-42]
CVE-2026-0992 libxml2: libxml2: Denial of Service via crafted XML catalogs [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the
Bugzilla
CVE-2026-0992 mingw-libxml2: libxml2: Denial of Service via crafted XML catalogs [fedora-42]
bugzilla·2026-01-15·CVSS 2.9
CVE-2026-0992 [LOW] CVE-2026-0992 mingw-libxml2: libxml2: Denial of Service via crafted XML catalogs [fedora-42]
CVE-2026-0992 mingw-libxml2: libxml2: Denial of Service via crafted XML catalogs [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, chan
2026-01-15
Published