Description
A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable.
Published: 2026-04-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

A type‑confusion flaw in libxml2 occurs when the library processes an XSD‑validated document that contains an internal entity reference; the resulting error causes the application to crash. The vulnerability is classified as CWE‑843 and can be exploited by supplying a crafted XML file. The crash leads to a denial of service, making the affected system or application unavailable.

Affected Systems

The flaw affects multiple Red Hat products, including Red Hat Enterprise Linux versions 6 through 10, Red Hat JBoss Core Services, Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4. Systems running any of these distributions or containers with libxml2 can be impacted.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity. The EPSS score is lower than 1%, meaning the likelihood of exploitation is low at this time. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the attacker must be able to supply a malicious XSD document to an application that uses libxml2 for XML validation; this likely requires either local access or the ability to remotely feed XML to the target application. Upon successful exploitation, the system experiences a crash leading to a denial of service.

Generated by OpenCVE AI on April 28, 2026 at 07:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest libxml2 package provided by Red Hat’s security updates to address the type‑confusion flaw
  • Reconfigure applications that perform XSD validation to disable or limit the use of internal entity references until a patched version is available
  • Monitor application logs for unexpected crashes and review Red Hat advisories for additional mitigation guidance

Generated by OpenCVE AI on April 28, 2026 at 07:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hardened Images
Xmlsoft
Xmlsoft libxml2
CPEs cpe:2.3:a:redhat:hardened_images:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_core_services:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
cpe:2.3:a:xmlsoft:libxml2:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Vendors & Products Redhat hardened Images
Xmlsoft
Xmlsoft libxml2

Thu, 30 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat libxml2
Redhat openshift Container Platform
Vendors & Products Redhat libxml2
Redhat openshift Container Platform

Mon, 27 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hummingbird
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat hummingbird

Sun, 26 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 23 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable.
Title Libxml2: libxml2: denial of service via crafted xsd-validated document
First Time appeared Redhat
Redhat enterprise Linux
Redhat jboss Core Services
Redhat openshift
Weaknesses CWE-843
CPEs cpe:/a:redhat:jboss_core_services:1
cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat jboss Core Services
Redhat openshift
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Redhat Enterprise Linux Hardened Images Hummingbird Jboss Core Services Libxml2 Openshift Openshift Container Platform
Xmlsoft Libxml2
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-30T17:11:03.871Z

Reserved: 2026-04-20T22:34:45.863Z

Link: CVE-2026-6732

cve-icon Vulnrichment

Updated: 2026-04-24T10:54:12.306Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T23:16:16.443

Modified: 2026-05-05T13:58:51.647

Link: CVE-2026-6732

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-16T00:00:00Z

Links: CVE-2026-6732 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:15:19Z

Weaknesses