Denial-of-Service Flaw in libxml2's RelaxNG Parser
CVE-2026-0989

3.7LOW

Key Information:

Vendor

Red Hat
Status
Red Hat Hardened Images
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Vendor
CVE Published:
15 January 2026

What is CVE-2026-0989?

A flaw in the RelaxNG parser of libxml2 pertains to improper handling of external schema inclusions. The parser lacks limitations on the depth of inclusion when processing nested directives. This can lead to excessive recursion in scenarios involving specially crafted schemas, resulting in stack exhaustion and application crashes. Consequently, this poses a denial-of-service risk, affecting applications reliant on libxml2 for XML parsing.

Affected Version(s)

Red Hat Hardened Images 2.15.2-0.3.hum1

References

https://access.redhat.com/errata/RHSA-2026:7519
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-0989
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2429933
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank lanbigking for reporting this issue.
.