CVE-2026-0990
MediumCVSS 5.9Exploitation Probability (EPSS)
Elevated risk51th percentile - higher than 51% of all known CVEs
Summary
An uncontrolled recursion vulnerability was found in libxml2's xmlCatalogXMLResolveURI function. It occurs when an XML catalog contains a delegate URI entry that references itself, leading to infinite recursion and call stack exhaustion.
Risk Assessment
A remote attacker can crash applications using libxml2 by providing a specially crafted XML catalog, resulting in a Denial of Service (DoS).
Recommendation
Update libxml2 to the latest patched version immediately. If not possible, restrict processing of untrusted XML catalogs.
Original NVD description (English source)
A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.

