Platform
linux
Component
libxml2
Fixed in
2.15.3-0.3.hum1
A denial-of-service (DoS) vulnerability has been identified in the libxml2 library, a widely used XML parser. This flaw arises from uncontrolled resource consumption when processing XML catalogs containing repeated <nextCatalog> elements that point to the same downstream catalog. Exploitation involves supplying specially crafted catalogs, resulting in excessive CPU usage and application unavailability, effectively causing a DoS. This vulnerability affects versions 2.15.2-0.3.hum1 and later, and a fix is available.
The primary impact of CVE-2026-0992 is a denial-of-service condition. An attacker can trigger this by providing a malicious XML catalog to an application that utilizes libxml2 for XML parsing. The repeated traversal of catalog chains consumes significant CPU resources, potentially bringing the affected application or even the entire system to a halt. The blast radius depends on the application's criticality and resource constraints; a heavily used service could experience widespread disruption. While the CVSS score is LOW, the impact on availability can be significant, particularly in environments where high availability is essential.
This vulnerability is currently not listed on the CISA KEV catalog. There are no publicly known proof-of-concept exploits available at this time. The vulnerability's LOW CVSS score suggests a lower probability of active exploitation, but the ease of crafting malicious XML catalogs warrants attention. Public disclosure occurred on 2026-01-15.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-0992 is to upgrade to a patched version of libxml2. Since a specific fixed version is not provided, consult your distribution's package manager for the latest available update. As a temporary workaround, consider implementing input validation to restrict the complexity of XML catalogs processed by your application. This could involve limiting the depth of catalog chains or enforcing stricter rules on the <nextCatalog> element. Monitoring CPU usage is also recommended to detect potential exploitation attempts. After upgrade, confirm by testing catalog parsing with known benign XML files and observing normal CPU utilization.
Update the libxml2 library to version 2.15.3-0.3.hum1 or higher to mitigate the denial-of-service vulnerability. Apply the security updates provided by Red Hat through their errata channel (RHSA-2026:7519) to ensure your system is protected.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-0992 is a denial-of-service vulnerability in the libxml2 library, allowing attackers to cause excessive CPU consumption by crafting malicious XML catalogs.
You are potentially affected if you use libxml2 versions 2.15.2-0.3.hum1 or later and process XML catalogs from untrusted sources without proper validation.
Upgrade to the latest available patched version of libxml2 from your distribution's package manager. As a temporary workaround, implement input validation to restrict catalog complexity.
There are currently no publicly known active exploitation campaigns or proof-of-concept exploits for CVE-2026-0992.
Consult your Linux distribution's security advisories for specific details and updates related to CVE-2026-0992 in libxml2.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.