Description
A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.
Published: 2026-01-15
Score: 2.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via resource exhaustion
Action: Apply Update
AI Analysis

Impact

A flaw in the libxml2 library allows an attacker to trigger excessive CPU consumption by supplying XML catalogs that contain repeated <nextCatalog> elements that reference the same downstream catalog. A parser will repeatedly traverse the same catalog chain, leading to uncontrolled resource consumption and application availability degradation. This denial‑of‑service condition is a form of resource exhaustion (CWE‑400).

Affected Systems

The vulnerability affects Red Hat ecosystems that use libxml2, including Red Hat Enterprise Linux 10, 6, 7, 8, and 9; Red Hat Hardened Images; Red Hat JBoss Core Services; and Red Hat OpenShift Container Platform 4. The specific libxml2 version numbers affected are not listed in the available CVE data.

Risk and Exploitability

The attack is remotely exploitable by supplying crafted XML catalogs, so an adversary with the ability to influence catalog inputs could trigger the denial of service. The CVSS score of 2.9 indicates low severity, and the EPSS of less than 1% suggests a very low likelihood of exploitation. The vulnerability is not included in the CISA KEV catalog. The absence of a vendor‑issued workaround means that protection relies on patching or mitigations at the application level.

Generated by OpenCVE AI on April 15, 2026 at 16:39 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Upgrade libxml2 to the latest available version from the vendor that includes the fix for the catalog processing issue
  • Restrict or validate the sources of XML catalogs so that only trusted inputs are processed by the application
  • Implement process resource limits or monitoring to detect and mitigate abnormal CPU usage that could indicate an exploitation attempt

Generated by OpenCVE AI on April 15, 2026 at 16:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-7974-1 libxml2 vulnerabilities
History

Wed, 22 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
References

Thu, 09 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hummingbird
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat hummingbird
References

Fri, 16 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 15 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.
Title Libxml2: libxml2: denial of service via crafted xml catalogs
First Time appeared Redhat
Redhat enterprise Linux
Redhat jboss Core Services
Redhat openshift
Weaknesses CWE-400
CPEs cpe:/a:redhat:jboss_core_services:1
cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat jboss Core Services
Redhat openshift
References
Metrics cvssV3_1

{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Redhat Enterprise Linux Hummingbird Jboss Core Services Openshift
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-22T09:31:04.354Z

Reserved: 2026-01-15T13:34:08.872Z

Link: CVE-2026-0992

cve-icon Vulnrichment

Updated: 2026-01-15T16:39:43.390Z

cve-icon NVD

Status : Deferred

Published: 2026-01-15T15:15:52.657

Modified: 2026-04-22T10:16:50.273

Link: CVE-2026-0992

cve-icon Redhat

Severity : Low

Publid Date: 2026-01-15T00:00:00Z

Links: CVE-2026-0992 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses