Stack-Based Buffer Overflow in xmlcatalog Utility of libxml2
CVE-2026-11979

1.8LOW

Key Information:

Vendor: Xmlsoft
Status: Libxml2
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-11979?

The xmlcatalog utility of libxml2 is vulnerable to multiple stack-based buffer overflows due to improper handling of user input in --shell mode. The usershell() function utilizes fixed-size stack buffers without adequate bounds checking, enabling attackers to craft overly long input lines that can overflow internal buffers. This memory corruption can lead to application crashes or allow the execution of arbitrary code within the xmlcatalog process. While the project maintainers regarded this issue as a bug, it is essential for users to recognize the potential security implications.

Affected Version(s)

libxml2 0 <= 2.15.3

References

https://cert.pl/en/posts/2026/06/CVE-2026-11979

third-party-advisory

https://gitlab.gnome.org/GNOME/libxml2/-/commit/c2e233fc1...

patch

CVSS V4

Score:

1.8

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 11, 2026

Credit

Michał Majchrowicz (AFINE Team)

Marcin Wyczechowski (AFINE Team)

CVE-2026-11979 Data

JSON