CVE Catalog

CVE-2026-0990

MediumCVSS 5.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.76%

51th percentile - higher than 51% of all known CVEs

Summary

An uncontrolled recursion vulnerability was found in libxml2's xmlCatalogXMLResolveURI function. It occurs when an XML catalog contains a delegate URI entry that references itself, leading to infinite recursion and call stack exhaustion.

Risk Assessment

A remote attacker can crash applications using libxml2 by providing a specially crafted XML catalog, resulting in a Denial of Service (DoS).

Recommendation

Update libxml2 to the latest patched version immediately. If not possible, restrict processing of untrusted XML catalogs.

Original NVD description (English source)

A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS