Description
A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.
Published: 2026-01-15
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from unrestricted recursion in libxml2 when a self‑referencing delegate URI is present in an XML catalog. The bug causes infinite recursion in the xmlCatalogXMLResolveURI function, exhausting the call stack and ultimately resulting in a segmentation fault. This crash of the parsing library leads to a denial of service by terminating the affected application. The weakness is identified as CWE‑674 (Uncontrolled Recursion).

Affected Systems

Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, Red Hat JBoss Core Services, Red Hat OpenShift Container Platform 4, and Red Hat Hummingbird 1 are affected. These systems rely on libxml2 for XML parsing and catalog processing.

Risk and Exploitability

The CVSS score of 5.9 indicates a medium severity. The EPSS score of less than 1% suggests a very low probability of exploitation in the current environment. The vulnerability is not listed in the CISA KEV catalog. An attacker would need remote or configuration access to supply a specially crafted XML catalog containing a self‑referencing delegate URI. If successful, the attacker could force the application to crash, denying service to legitimate users. The primary attack vector is remote or configuration-dependent input into the XML catalog system.

Generated by OpenCVE AI on April 15, 2026 at 16:40 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Upgrade libxml2 to a version that contains the fix for uncontrolled recursion.
  • If an immediate update is not possible, disable or restrict external XML catalog processing in applications that use libxml2 to prevent untrusted input from triggering recursion.
  • Ensure XML configuration files and catalog directories are writable only by trusted administrators and are not exposed to untrusted users or network services.

Generated by OpenCVE AI on April 15, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-7974-1 libxml2 vulnerabilities
History

Wed, 22 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
References

Thu, 09 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hummingbird
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat hummingbird
References

Fri, 16 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 15 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.
Title Libxml2: libxml2: denial of service via uncontrolled recursion in xml catalog processing
First Time appeared Redhat
Redhat enterprise Linux
Redhat jboss Core Services
Redhat openshift
Weaknesses CWE-674
CPEs cpe:/a:redhat:jboss_core_services:1
cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat jboss Core Services
Redhat openshift
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Redhat Enterprise Linux Hummingbird Jboss Core Services Openshift
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-22T09:30:55.859Z

Reserved: 2026-01-15T13:15:10.756Z

Link: CVE-2026-0990

cve-icon Vulnrichment

Updated: 2026-01-15T16:39:18.096Z

cve-icon NVD

Status : Deferred

Published: 2026-01-15T15:15:52.503

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0990

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-15T00:00:00Z

Links: CVE-2026-0990 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses