CVE-2026-1757
published 2026-02-02CVE-2026-1757: A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly…
PriorityP426medium6.2CVSS 3.1
AVLACLPRNUINSUCNINAH
EPSS
0.19%
9.3th percentile
A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libxml2 | < libxml2 2.15.2+dfsg-0.1 (forky) | libxml2 2.15.2+dfsg-0.1 (forky) |
| ubuntu | libxml2 | — | — |
| xmlsoft | libxml2 | >= 0 < 2.15.2+dfsg-0.1 | 2.15.2+dfsg-0.1 |
CVSS provenance
nvdv3.16.2MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv6.2MEDIUM
vendor_debian6.2LOW
vendor_redhat6.2MEDIUM
vendor_ubuntu6.2MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
libxml2 vulnerabilities
vendor_ubuntu·2026-06-22·CVSS 6.2
CVE-2026-1757 [MEDIUM] libxml2 vulnerabilities
Title: libxml2 vulnerabilities
Summary: Several security issues were fixed in libxml2.
It was discovered that libxml2 did not properly release memory allocated in
the xmllint utility. An attacker could possibly use this issue to cause a
denial of service. (CVE-2026-1757)
A type confusion vulnerability was found in libxml2 when processing a
specially crafted XML document. A remote attacker could possibly use this
issue to cause a denial of service. (CVE-2026-6732)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
libxml2: Memory Leak Leading to Local Denial of Service in xmllint Interactive Shell
vendor_redhat·2026-02-02·CVSS 6.2
CVE-2026-1757 [MEDIUM] CWE-401 libxml2: Memory Leak Leading to Local Denial of Service in xmllint Interactive Shell
libxml2: Memory Leak Leading to Local Denial of Service in xmllint Interactive Shell
A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.
A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. W
Debian
CVE-2026-1757: libxml2 - A flaw was identified in the interactive shell of the xmllint utility, part of t...
vendor_debian·2026·CVSS 6.2
CVE-2026-1757 [MEDIUM] CVE-2026-1757: libxml2 - A flaw was identified in the interactive shell of the xmllint utility, part of t...
A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 2.15.2+dfsg-0.1)
sid: resolved (fixed in 2.15.2+dfsg-0.1)
trixie: open
OSV
CVE-2026-1757: A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not prope
osv·2026-02-02·CVSS 6.2
CVE-2026-1757 [MEDIUM] CVE-2026-1757: A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not prope
A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.
GHSA
GHSA-7qq5-wfv8-hvvh: A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not prope
ghsa_unreviewed·2026-02-02
CVE-2026-1757 [MEDIUM] CWE-401 GHSA-7qq5-wfv8-hvvh: A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not prope
A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-1757 libxml2: Memory Leak Leading to Local Denial of Service in xmllint Interactive Shell
bugzilla·2026-02-02·CVSS 6.2
CVE-2026-1757 [MEDIUM] CVE-2026-1757 libxml2: Memory Leak Leading to Local Denial of Service in xmllint Interactive Shell
CVE-2026-1757 libxml2: Memory Leak Leading to Local Denial of Service in xmllint Interactive Shell
Memory leak vulnerability in the xmllint interactive shell command parser. The issue is caused by improper memory management when processing input lines that consist solely of whitespace characters. In this scenario, the allocated command buffer is not freed before continuing execution, resulting in a persistent memory leak. By repeatedly supplying large whitespace-only inputs, a local attacker can cause unbounded memory growth, eventually exhausting system resources and triggering an out-of-memory (OOM) condition. This flaw can be exploited without authentication but requires local access to the xmllint shell, leading to a denial-of-service condition.
Wiz
CVE-2026-1757 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.2
CVE-2026-1757 [MEDIUM] CVE-2026-1757 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1757 :
Linux Debian vulnerability analysis and mitigation
A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.
Source : NVD
## 6.2
Score
Published February 2, 2026
Severity MEDIUM
CNA Score 6.2
Affected Technologies
Linux Debian
Linux Ubuntu
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Relea
2026-02-02
Published