Fluid Attacks Database

Description

A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	libxml2	=2.12.3+dfsg-0exp1 \|\| =2.12.5+dfsg-0exp1 \|\| =2.12.6+dfsg-0exp1 \|\| =2.12.6+dfsg-0exp2 \|\| =2.12.7+dfsg+really2.9.14-0.1 \|\| =2.12.7+dfsg+really2.9.14-0.2 \|\| =2.12.7+dfsg+really2.9.14-0.3 \|\| =2.12.7+dfsg+really2.9.14-0.4 \|\| =2.12.7+dfsg+really2.9.14-1 \|\| =2.12.7+dfsg+really2.9.14-2 \|\| =2.12.7+dfsg+really2.9.14-2.1 \|\| =2.12.7+dfsg-1 \|\| =2.12.7+dfsg-2 \|\| =2.12.7+dfsg-3 \|\| =2.13.1+dfsg-0exp1 \|\| =2.13.3+dfsg-0exp1 \|\| =2.13.3+dfsg-0exp2 \|\| =2.14.1+dfsg-0exp1 \|\| =2.14.2+dfsg-0exp1 \|\| =2.14.3+dfsg-0exp1 \|\| =2.14.3+dfsg-0exp2 \|\| =2.14.3+dfsg-0exp3 \|\| =2.14.4+dfsg-0exp1 \|\| =2.14.5+dfsg-0.1 \|\| =2.14.5+dfsg-0.2 \|\| =2.14.5+dfsg-0exp1 \|\| =2.14.5+dfsg-0exp2 \|\| =2.14.6+dfsg-0.1 \|\| =2.15.0+dfsg-0.1 \|\| =2.15.0+dfsg-0.2 \|\| =2.15.0+dfsg-0.3 \|\| =2.15.1+dfsg-0.1 \|\| =2.15.1+dfsg-0.2 \|\| =2.15.1+dfsg-0.3 \|\| =2.15.1+dfsg-0.4 \|\| =2.15.1+dfsg-0.5 \|\| =2.15.1+dfsg-1 \|\| =2.15.1+dfsg-2 \|\| =2.15.2+dfsg-0.1 \|\| =2.9.10+dfsg-6.7 \|\| =2.9.10+dfsg-6.7+deb11u1 \|\| =2.9.10+dfsg-6.7+deb11u2 \|\| =2.9.10+dfsg-6.7+deb11u3 \|\| =2.9.10+dfsg-6.7+deb11u4 \|\| =2.9.10+dfsg-6.7+deb11u5 \|\| =2.9.10+dfsg-6.7+deb11u6 \|\| =2.9.10+dfsg-6.7+deb11u7 \|\| =2.9.10+dfsg-6.7+deb11u8 \|\| =2.9.10+dfsg-6.7+deb11u9 \|\| =2.9.12+dfsg-1 \|\| =2.9.12+dfsg-2 \|\| =2.9.12+dfsg-3 \|\| =2.9.12+dfsg-4 \|\| =2.9.12+dfsg-5 \|\| =2.9.12+dfsg-6 \|\| =2.9.13+dfsg-1 \|\| =2.9.14+dfsg-1 \|\| =2.9.14+dfsg-1.1 \|\| =2.9.14+dfsg-1.2 \|\| =2.9.14+dfsg-1.3 \|\| =2.9.14+dfsg-1.3~deb12u1 \|\| =2.9.14+dfsg-1.3~deb12u2 \|\| =2.9.14+dfsg-1.3~deb12u3 \|\| =2.9.14+dfsg-1.3~deb12u4 \|\| =2.9.14+dfsg-1.3~deb12u5	-
debian 12	libxml2	=2.12.3+dfsg-0exp1 \|\| =2.12.5+dfsg-0exp1 \|\| =2.12.6+dfsg-0exp1 \|\| =2.12.6+dfsg-0exp2 \|\| =2.12.7+dfsg+really2.9.14-0.1 \|\| =2.12.7+dfsg+really2.9.14-0.2 \|\| =2.12.7+dfsg+really2.9.14-0.3 \|\| =2.12.7+dfsg+really2.9.14-0.4 \|\| =2.12.7+dfsg+really2.9.14-1 \|\| =2.12.7+dfsg+really2.9.14-2 \|\| =2.12.7+dfsg+really2.9.14-2.1 \|\| =2.12.7+dfsg-1 \|\| =2.12.7+dfsg-2 \|\| =2.12.7+dfsg-3 \|\| =2.13.1+dfsg-0exp1 \|\| =2.13.3+dfsg-0exp1 \|\| =2.13.3+dfsg-0exp2 \|\| =2.14.1+dfsg-0exp1 \|\| =2.14.2+dfsg-0exp1 \|\| =2.14.3+dfsg-0exp1 \|\| =2.14.3+dfsg-0exp2 \|\| =2.14.3+dfsg-0exp3 \|\| =2.14.4+dfsg-0exp1 \|\| =2.14.5+dfsg-0.1 \|\| =2.14.5+dfsg-0.2 \|\| =2.14.5+dfsg-0exp1 \|\| =2.14.5+dfsg-0exp2 \|\| =2.14.6+dfsg-0.1 \|\| =2.15.0+dfsg-0.1 \|\| =2.15.0+dfsg-0.2 \|\| =2.15.0+dfsg-0.3 \|\| =2.15.1+dfsg-0.1 \|\| =2.15.1+dfsg-0.2 \|\| =2.15.1+dfsg-0.3 \|\| =2.15.1+dfsg-0.4 \|\| =2.15.1+dfsg-0.5 \|\| =2.15.1+dfsg-1 \|\| =2.15.1+dfsg-2 \|\| =2.15.2+dfsg-0.1 \|\| =2.9.14+dfsg-1.2 \|\| =2.9.14+dfsg-1.3 \|\| =2.9.14+dfsg-1.3~deb12u1 \|\| =2.9.14+dfsg-1.3~deb12u2 \|\| =2.9.14+dfsg-1.3~deb12u3 \|\| =2.9.14+dfsg-1.3~deb12u4 \|\| =2.9.14+dfsg-1.3~deb12u5	-
debian 13	libxml2	=2.12.7+dfsg+really2.9.14-2.1 \|\| =2.12.7+dfsg+really2.9.14-2.1+deb13u1 \|\| =2.12.7+dfsg+really2.9.14-2.1+deb13u2 \|\| =2.13.1+dfsg-0exp1 \|\| =2.13.3+dfsg-0exp1 \|\| =2.13.3+dfsg-0exp2 \|\| =2.14.1+dfsg-0exp1 \|\| =2.14.2+dfsg-0exp1 \|\| =2.14.3+dfsg-0exp1 \|\| =2.14.3+dfsg-0exp2 \|\| =2.14.3+dfsg-0exp3 \|\| =2.14.4+dfsg-0exp1 \|\| =2.14.5+dfsg-0.1 \|\| =2.14.5+dfsg-0.2 \|\| =2.14.5+dfsg-0exp1 \|\| =2.14.5+dfsg-0exp2 \|\| =2.14.6+dfsg-0.1 \|\| =2.15.0+dfsg-0.1 \|\| =2.15.0+dfsg-0.2 \|\| =2.15.0+dfsg-0.3 \|\| =2.15.1+dfsg-0.1 \|\| =2.15.1+dfsg-0.2 \|\| =2.15.1+dfsg-0.3 \|\| =2.15.1+dfsg-0.4 \|\| =2.15.1+dfsg-0.5 \|\| =2.15.1+dfsg-1 \|\| =2.15.1+dfsg-2 \|\| =2.15.2+dfsg-0.1	-
debian 14	libxml2	=2.12.7+dfsg+really2.9.14-2.1 \|\| =2.13.1+dfsg-0exp1 \|\| =2.13.3+dfsg-0exp1 \|\| =2.13.3+dfsg-0exp2 \|\| =2.14.1+dfsg-0exp1 \|\| =2.14.2+dfsg-0exp1 \|\| =2.14.3+dfsg-0exp1 \|\| =2.14.3+dfsg-0exp2 \|\| =2.14.3+dfsg-0exp3 \|\| =2.14.4+dfsg-0exp1 \|\| =2.14.5+dfsg-0.1 \|\| =2.14.5+dfsg-0.2 \|\| =2.14.5+dfsg-0exp1 \|\| =2.14.5+dfsg-0exp2 \|\| =2.14.6+dfsg-0.1 \|\| =2.15.0+dfsg-0.1 \|\| =2.15.0+dfsg-0.2 \|\| =2.15.0+dfsg-0.3 \|\| =2.15.1+dfsg-0.1 \|\| =2.15.1+dfsg-0.2 \|\| =2.15.1+dfsg-0.3 \|\| =2.15.1+dfsg-0.4 \|\| =2.15.1+dfsg-0.5 \|\| =2.15.1+dfsg-1 \|\| =2.15.1+dfsg-2 \|\| >=0 <2.15.2+dfsg-0.1	2.15.2+dfsg-0.1
rpm rhel7	libxml2	-	-
rpm rhel8	libxml2	-	-
rpm rhel10	libxml2	-	-
rpm rhel6	libxml2	-	-
rpm rhel9	libxml2	-	-

Aliases

1. CVE-2026-09902. NVD-2026-09903. OSV-DEBIAN-2026-09904. OSV-2026-09905. SECURITY-TRACKER-CVE-2026-0990

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.