CVE-2026-0990
📋 TL;DR
A recursion vulnerability in libxml2's xmlCatalogXMLResolveURI function allows remote attackers to cause denial of service by crashing applications that parse specially crafted XML catalogs. This affects any application using libxml2 with XML catalog functionality enabled. The vulnerability is configuration-dependent and requires specific XML catalog setups to be exploitable.
💻 Affected Systems
- libxml2
- Applications using libxml2 library
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote unauthenticated attacker crashes critical XML-processing services, causing sustained denial of service affecting business operations.
Likely Case
Application crashes when processing malicious XML input, resulting in temporary service disruption until restart.
If Mitigated
No impact if XML catalog functionality is disabled or proper input validation is implemented.
🎯 Exploit Status
Exploitation requires attacker to provide specially crafted XML catalog input to vulnerable application. No authentication needed if application accepts external XML input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: libxml2 2.11.8 or later
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2026-0990
Restart Required: Yes
Instructions:
1. Update libxml2 package to version 2.11.8 or later. 2. Restart affected applications. 3. For Linux: Use package manager (apt-get update && apt-get upgrade libxml2 for Debian/Ubuntu, yum update libxml2 for RHEL/CentOS).
🔧 Temporary Workarounds
Disable XML catalog functionality
allPrevent exploitation by disabling XML catalog processing in applications
Configure applications to not use XML catalogs or disable catalog loading
Input validation and filtering
allImplement strict input validation for XML content
Add XML schema validation before processing
Filter or reject XML with catalog references
🧯 If You Can't Patch
- Implement network segmentation to restrict access to XML-processing services
- Deploy web application firewall (WAF) with XML payload inspection rules
🔍 How to Verify
Check if Vulnerable:
Check libxml2 version: xml2-config --version or rpm -q libxml2Check Version:
xml2-config --versionVerify Fix Applied:
Verify installed libxml2 version is 2.11.8 or higher📡 Detection & Monitoring
Log Indicators:
- Segmentation fault errors in application logs
- Unexpected application crashes when processing XML
- Stack overflow errors related to xmlCatalogXMLResolveURI
Network Indicators:
- Unusual XML payloads with catalog references
- Repeated XML requests causing service crashes
SIEM Query:
source="application.logs" AND ("segmentation fault" OR "stack overflow") AND "xml"