PatchSiren cyber security CVE debrief
CVE-2026-0990 Red Hat CVE debrief
CVE-2026-0990 is a medium-severity vulnerability in libxml2, an XML parsing library. The vulnerability occurs in the xmlCatalogXMLResolveURI function and can be exploited by a remote attacker providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion, resulting in a segmentation fault and Denial of Service (DoS). This issue is configuration-dependent and requires a specific XML catalog setup to be triggered. The vulnerability has a CVSS score of 5.9 and is classified as MEDIUM severity. The CVE was published on January 15, 2026, and last modified on June 29, 2026.
- Vendor
- Red Hat
- Product
- Red Hat Hardened Images
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-15
- Original CVE updated
- 2026-06-29
- Advisory published
- 2026-01-15
- Advisory updated
- 2026-06-29
Who should care
Organizations using applications that rely on libxml2 for XML parsing should prioritize patching this vulnerability. Specifically, those with exposure to XML catalogs that could be manipulated by remote attackers are at higher risk. This includes developers of software that uses libxml2, administrators of systems where such software runs, and security teams responsible for vulnerability management.
Technical summary
The CVE-2026-0990 vulnerability is caused by an uncontrolled recursion in the xmlCatalogXMLResolveURI function of libxml2. This function is part of the XML catalog resolution mechanism, which allows for mapping of URIs to local resources. The issue arises when an XML catalog contains a delegate URI entry that references itself, creating a recursive loop. An attacker can exploit this by providing a specially crafted XML catalog that triggers this self-referential loop, leading to infinite recursion. This recursion causes a call stack exhaustion, ultimately resulting in a segmentation fault. The impact is a Denial of Service (DoS) due to the crash of affected applications. The vulnerability's CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high impact on availability.
Defensive priority
Patching is the primary recommended action for CVE-2026-0990. Given the medium severity and potential for DoS, prioritizing the update of libxml2 to a version that fixes this issue is crucial. Additionally, defenders should review their systems for any XML catalogs that could potentially be manipulated, though the vulnerability is configuration-dependent and requires specific conditions to be met.
Recommended defensive actions
- Apply patches or updates to libxml2 provided by the vendor or maintainers.
- Review and restrict access to XML catalogs where possible.
- Monitor systems for unusual activity related to XML parsing.
- Implement compensating controls such as network segmentation or rate limiting.
- Perform thorough inventory checks to identify affected systems.
- Engage in vulnerability management processes to ensure timely remediation.
Evidence notes
The CVE-2026-0990 vulnerability details were obtained from the NVD and CVE.org records. The vulnerability is described as an uncontrolled recursion issue in libxml2, specifically in the xmlCatalogXMLResolveURI function. The CVSS score and vector were provided by the NVD. Additional information was gathered from Red Hat's security advisories and bugzilla entries.
Official resources
This article is AI-assisted and based on the supplied source corpus.