Memory Management Flaw in xmllint Utility by libxml2
CVE-2026-1757

6.2MEDIUM

Key Information:

Vendor

Red Hat
Status
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Vendor
CVE Published:
2 February 2026

What is CVE-2026-1757?

A memory management flaw exists in the xmllint utility, part of the libxml2 package. Specifically, when a user inputs only whitespace, the utility does not release memory allocated for this input, resulting in a gradual accumulation of memory usage. As users repeatedly execute this command, the unfreed buffers can lead to system memory exhaustion. Ultimately, this could cause the xmllint process to crash, leading to a denial-of-service condition on local systems. Proper handling and release of memory under these circumstances are critical to maintaining system stability.

References

https://access.redhat.com/security/cve/CVE-2026-1757
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2435940
issue-trackingx_refsource_REDHAT
https://gitlab.gnome.org/GNOME/libxml2/-/issues/1009

CVSS V3.1

Score:
6.2
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank lanbigking for reporting this issue.
.