CVE-2026-0992 Libxml2: libxml2: denial of service via crafted xml catalogs

🗓️ 15 Jan 2026 14:20:24Reported by redhatType

libxml2 denial of service through crafted XML catalogs with repeated nextCatalog entries causing high CPU.

Reporter	Title	Published	Views	Family All 92
IBM Security Bulletins	Security Bulletin: Vulnerabilities in libxml2 (CVE-2026-0989, CVE-2026-0990, CVE-2026-0992) affect AIX	28 May 202621:04	–	ibm
Tenable Nessus	AIX : Multiple Vulnerabilities (IJ58122)	3 Jun 202600:00	–	nessus
Tenable Nessus	AIX : Multiple Vulnerabilities (IJ58124)	3 Jun 202600:00	–	nessus
Tenable Nessus	AIX : Multiple Vulnerabilities (IJ58140)	3 Jun 202600:00	–	nessus
Tenable Nessus	AIX : Multiple Vulnerabilities (IJ58306)	3 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : libxml2, libxml2-devel, libxml2-static (ALAS2023-2026-1396)	5 Feb 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2 : libxml2, --advisory ALAS2-2026-3144 (ALAS-2026-3144)	5 Feb 202600:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP13 : libxml2 (EulerOS-SA-2026-1252)	10 Mar 202600:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP13 : libxml2 (EulerOS-SA-2026-1288)	10 Mar 202600:00	–	nessus
Tenable Nessus	EulerOS Virtualization 2.10.1 : libxml2 (EulerOS-SA-2026-2028)	6 Jun 202600:00	–	nessus

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat Hardened Images",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "libxml2-main",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "2.15.2-0.3.hum1",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:hummingbird:1"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 10",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "libxml2",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/o:redhat:enterprise_linux:10"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 6",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "libxml2",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/o:redhat:enterprise_linux:6"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 7",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "libxml2",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/o:redhat:enterprise_linux:7"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "libxml2",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/o:redhat:enterprise_linux:8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 9",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "libxml2",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/o:redhat:enterprise_linux:9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat JBoss Core Services",
    "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
    "packageName": "libxml2",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:jboss_core_services:1"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift Container Platform 4",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "rhcos",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:openshift:4"
    ]
  }
]

Source	Link
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
access	www.access.redhat.com/security/cve/CVE-2026-0992
access	www.access.redhat.com/errata/RHSA-2026:7519
gitlab	www.gitlab.gnome.org/GNOME/libxml2/-/issues/1019

22 Apr 2026 09:31Current

CVSS 3.12.9

EPSS0.00025

CWE-400