Home
LOW: 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:LDefault status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Description
A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.
Problem types
Product status
Timeline
| 2026-01-15: | Reported to Red Hat. |
| 2026-01-15: | Made public. |
Credits
Red Hat would like to thank lanbigking for reporting this issue.
References
access.redhat.com/security/cve/CVE-2026-0989
bugzilla.redhat.com/show_bug.cgi?id=2429933 (RHBZ#2429933)