CVE-2026-0989

A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2026:7519
https://access.redhat.com/security/cve/CVE-2026-0989
https://bugzilla.redhat.com/show_bug.cgi?id=2429933
https://gitlab.gnome.org/GNOME/libxml2/-/issues/998

Configurations

No configuration.

History

22 Apr 2026, 10:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:7519 -

09 Apr 2026, 18:16

Type	Values Removed	Values Added
References		() https://gitlab.gnome.org/GNOME/libxml2/-/issues/998 -
Summary		(es) Se identificó un fallo en el analizador RelaxNG de libxml2 relacionado con la forma en que se gestionan las inclusiones de esquemas externos. El analizador no impone un límite en la profundidad de inclusión al resolver directivas anidadas. Esquemas especialmente elaborados o excesivamente complejos pueden causar recursión excesiva durante el análisis. Esto puede provocar el agotamiento de la pila y caídas de la aplicación, creando un riesgo de denegación de servicio.

15 Jan 2026, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-15 15:15

Updated : 2026-04-22 10:16

NVD link : CVE-2026-0989

Mitre link : CVE-2026-0989

CVE.ORG link : CVE-2026-0989

JSON object : View

Products Affected

No product.

CWE

CWE-674

Uncontrolled Recursion

3.7 /10