libxml2
修复版本
2.15.3-0.3.hum1
A denial-of-service (DoS) vulnerability has been identified in the libxml2 library, a widely used XML parser. This flaw arises from uncontrolled resource consumption when processing XML catalogs containing repeated <nextCatalog> elements that point to the same downstream catalog. Exploitation involves supplying specially crafted catalogs, resulting in excessive CPU usage and application unavailability, effectively causing a DoS. This vulnerability affects versions 2.15.2-0.3.hum1 and later, and a fix is available.
The primary impact of CVE-2026-0992 is a denial-of-service condition. An attacker can trigger this by providing a malicious XML catalog to an application that utilizes libxml2 for XML parsing. The repeated traversal of catalog chains consumes significant CPU resources, potentially bringing the affected application or even the entire system to a halt. The blast radius depends on the application's criticality and resource constraints; a heavily used service could experience widespread disruption. While the CVSS score is LOW, the impact on availability can be significant, particularly in environments where high availability is essential.
This vulnerability is currently not listed on the CISA KEV catalog. There are no publicly known proof-of-concept exploits available at this time. The vulnerability's LOW CVSS score suggests a lower probability of active exploitation, but the ease of crafting malicious XML catalogs warrants attention. Public disclosure occurred on 2026-01-15.
Applications and systems that rely on libxml2 for XML parsing are at risk, particularly those that process external XML catalogs without proper validation. This includes web servers, data processing pipelines, and any software that handles XML input from untrusted sources. Systems running older, unpatched versions of libxml2 are especially vulnerable.
• linux / server:
journalctl -f | grep -i "libxml2"• linux / server:
ps aux | grep libxml2 | grep -i "catalog"disclosure
漏洞利用状态
EPSS
0.02% (6% 百分位)
CISA SSVC
CVSS 向量
The recommended mitigation for CVE-2026-0992 is to upgrade to a patched version of libxml2. Since a specific fixed version is not provided, consult your distribution's package manager for the latest available update. As a temporary workaround, consider implementing input validation to restrict the complexity of XML catalogs processed by your application. This could involve limiting the depth of catalog chains or enforcing stricter rules on the <nextCatalog> element. Monitoring CPU usage is also recommended to detect potential exploitation attempts. After upgrade, confirm by testing catalog parsing with known benign XML files and observing normal CPU utilization.
Actualice la biblioteca libxml2 a la versión 2.15.3-0.3.hum1 o superior para mitigar la vulnerabilidad de denegación de servicio. Aplique las actualizaciones de seguridad proporcionadas por Red Hat a través de su canal de errata (RHSA-2026:7519) para garantizar la protección de su sistema.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-0992 is a denial-of-service vulnerability in the libxml2 library, allowing attackers to cause excessive CPU consumption by crafting malicious XML catalogs.
You are potentially affected if you use libxml2 versions 2.15.2-0.3.hum1 or later and process XML catalogs from untrusted sources without proper validation.
Upgrade to the latest available patched version of libxml2 from your distribution's package manager. As a temporary workaround, implement input validation to restrict catalog complexity.
There are currently no publicly known active exploitation campaigns or proof-of-concept exploits for CVE-2026-0992.
Consult your Linux distribution's security advisories for specific details and updates related to CVE-2026-0992 in libxml2.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。