CVE Catalog

CVE-2026-0989

LowCVSS 3.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.42%

34th percentile — higher than 34% of all known CVEs

Summary

A flaw was found in the RelaxNG parser of libxml2 related to handling external schema inclusions. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives, which can cause excessive recursion. Specially crafted schemas may lead to stack exhaustion and application crashes.

Risk Assessment

An attacker can exploit this vulnerability to perform a Denial of Service (DoS) attack on applications using libxml2 to process RelaxNG schemas. This could result in service unavailability and system downtime.

Recommendation

Immediately update libxml2 to a version that includes a limit on schema inclusion depth. If an update is not possible, restrict access to processing untrusted RelaxNG schemas.

Original NVD description (English source)

A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS