CVE-2026-0989
📋 TL;DR
A denial-of-service vulnerability exists in libxml2's RelaxNG parser where nested <include> directives can cause unlimited recursion, leading to stack exhaustion and application crashes. This affects any application using libxml2 to parse RelaxNG schemas with external inclusions. The impact is limited to availability disruption rather than data compromise.
💻 Affected Systems
- libxml2
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Application crashes repeatedly when processing malicious schemas, causing sustained denial of service for affected services.
Likely Case
Accidental or incidental schema complexity causes occasional application crashes during parsing operations.
If Mitigated
Minor service interruptions with quick recovery if proper monitoring and restart mechanisms are in place.
🎯 Exploit Status
Exploitation requires ability to supply RelaxNG schemas to vulnerable applications. No authentication bypass needed if schema input is accepted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: libxml2 2.13.0 and later
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2026-0989
Restart Required: Yes
Instructions:
1. Update libxml2 to version 2.13.0 or later using your distribution's package manager. 2. Restart affected applications. 3. For Red Hat systems: 'yum update libxml2' or 'dnf update libxml2'.
🔧 Temporary Workarounds
Disable external schema inclusions
allConfigure applications to disable external schema inclusions in RelaxNG parsing.
Set XML_PARSE_NOENT=0 in application code when parsing schemas
Limit schema recursion depth
allImplement application-level limits on schema inclusion depth.
Implement custom parser callbacks to track and limit inclusion depth
🧯 If You Can't Patch
- Implement input validation to reject schemas with excessive nesting
- Deploy monitoring for application crashes related to schema parsing
🔍 How to Verify
Check if Vulnerable:
Check libxml2 version: 'xml2-config --version' or 'rpm -q libxml2'Check Version:
xml2-config --versionVerify Fix Applied:
Verify version is 2.13.0 or later: 'xml2-config --version | grep -q "^2\.1[3-9]\|^[3-9]\."'📡 Detection & Monitoring
Log Indicators:
- Application crashes during schema parsing
- Stack overflow errors in application logs
- Repeated process restarts
Network Indicators:
- Unusual schema file uploads to affected services
- HTTP 500 errors from schema validation endpoints
SIEM Query:
source="application.log" AND ("stack overflow" OR "segmentation fault") AND "libxml2"