CVE-2026-0989: Libxml2: unbounded relaxng include recursion leading to stack overflow

Published Jan 15, 2026
·
Updated

A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.

Affected Software

1 affected component
Xmlsoft Libxml2

Event History

Jan 15, 2026
Data Sourced
via Red Hat·12:53 PM
DescriptionSeverityAffected Software
CVE Published
via MITRE·02:20 PM
Data Sourced
via MITRE·02:20 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·03:15 PM
DescriptionSeverityWeakness
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-0989?

CVE-2026-0989 is classified as a high severity vulnerability due to the potential for stack overflow attacks.

2

How do I fix CVE-2026-0989?

To fix CVE-2026-0989, update to a patched version of libxml2 that enforces limits on inclusion depth.

3

What types of software are affected by CVE-2026-0989?

CVE-2026-0989 affects the libxml2 library used primarily in GNOME applications.

4

What are the consequences of exploiting CVE-2026-0989?

Exploitation of CVE-2026-0989 can lead to application crashes and potentially allow remote code execution.

5

Is there a workaround for CVE-2026-0989?

Currently, there is no official workaround for CVE-2026-0989 other than applying the necessary updates.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203