CVE-2026-0989
Analyzed
Analyzed - Analysis Complete
BaseFortify
Vulnerability report for CVE-2026-0989, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-01-15
Last updated on: 2026-06-30
Assigner: Red Hat, Inc.
Description
Description
A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xmlsoft | libxml2 | to 2.15.2 (exc) |
| redhat | enterprise_linux | 7.0 |
| redhat | enterprise_linux | 6.0 |
| redhat | jboss_core_services | * |
| redhat | enterprise_linux | 8.0 |
| redhat | openshift_container_platform | 4.0 |
| redhat | enterprise_linux | 9.0 |
| redhat | enterprise_linux | 10.0 |
| redhat | hardened_images | * |
| ibm | vios | From 4.1.0 (inc) to 4.1.1.30 (exc) |
| ibm | vios | 4.1.2.0 |
| ibm | aix | From 7.2.5 (inc) to 7.2.5.12 (exc) |
| ibm | aix | From 7.3.2 (inc) to 7.3.3.3 (exc) |
| ibm | aix | 7.3.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |