Denial-of-Service Flaw in libxml2's RelaxNG Parser
CVE-2026-0989

3.7LOW

Key Information:

Vendor: Red Hat
Status: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8
Vendor: CVE Published:; 15 January 2026

What is CVE-2026-0989?

A flaw in the RelaxNG parser of libxml2 pertains to improper handling of external schema inclusions. The parser lacks limitations on the depth of inclusion when processing nested directives. This can lead to excessive recursion in scenarios involving specially crafted schemas, resulting in stack exhaustion and application crashes. Consequently, this poses a denial-of-service risk, affecting applications reliant on libxml2 for XML parsing.

References

https://access.redhat.com/security/cve/CVE-2026-0989

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2429933

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 15, 2026
Vulnerability Reserved
Jan 15, 2026

Credit

Red Hat would like to thank lanbigking for reporting this issue.

JSON