CVE-2026-0990: Uncontrolled Recursion in Red Hat Red Hat Hardened Images
A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.
AI Analysis
Technical Summary
This vulnerability in libxml2 arises from uncontrolled recursion in the xmlCatalogXMLResolveURI function triggered by a self-referencing delegate URI entry in an XML catalog. An attacker supplying a crafted XML catalog can cause infinite recursion, exhausting the call stack and causing a segmentation fault. This leads to a denial of service by crashing applications that use libxml2. The issue affects Red Hat Hardened Images and is tracked as CVE-2026-0990 with a CVSS 3.1 base score of 5.9 (medium severity). Red Hat has published updated RPMs for libxml2 to fix this vulnerability.
Potential Impact
Exploitation of this vulnerability results in a denial of service condition due to application crashes caused by stack exhaustion from infinite recursion. There is no impact on confidentiality or integrity. The vulnerability requires a specially crafted XML catalog and has a high attack complexity with no privileges or user interaction required.
Mitigation Recommendations
Red Hat has released updated libxml2 RPM packages (version 2.15.2-0.3.hum1) for affected architectures (aarch64, x86_64) as detailed in Red Hat Security Advisory RHSA-2026:7519. Users of Red Hat Hardened Images should apply these official updates to remediate the vulnerability. Patch status is confirmed as fixed by Red Hat. No additional mitigation steps are indicated in the vendor advisory.
CVE-2026-0990: Uncontrolled Recursion in Red Hat Red Hat Hardened Images
Description
A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in libxml2 arises from uncontrolled recursion in the xmlCatalogXMLResolveURI function triggered by a self-referencing delegate URI entry in an XML catalog. An attacker supplying a crafted XML catalog can cause infinite recursion, exhausting the call stack and causing a segmentation fault. This leads to a denial of service by crashing applications that use libxml2. The issue affects Red Hat Hardened Images and is tracked as CVE-2026-0990 with a CVSS 3.1 base score of 5.9 (medium severity). Red Hat has published updated RPMs for libxml2 to fix this vulnerability.
Potential Impact
Exploitation of this vulnerability results in a denial of service condition due to application crashes caused by stack exhaustion from infinite recursion. There is no impact on confidentiality or integrity. The vulnerability requires a specially crafted XML catalog and has a high attack complexity with no privileges or user interaction required.
Mitigation Recommendations
Red Hat has released updated libxml2 RPM packages (version 2.15.2-0.3.hum1) for affected architectures (aarch64, x86_64) as detailed in Red Hat Security Advisory RHSA-2026:7519. Users of Red Hat Hardened Images should apply these official updates to remediate the vulnerability. Patch status is confirmed as fixed by Red Hat. No additional mitigation steps are indicated in the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-01-15T13:15:10.756Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/errata/RHSA-2026:7519","vendor":"Red Hat"},{"url":"https://access.redhat.com/security/cve/CVE-2026-0990","vendor":"Red Hat"}]
Threat ID: 6968faa94c611209ad238976
Added to database: 1/15/2026, 2:33:13 PM
Last enriched: 4/24/2026, 3:54:03 PM
Last updated: 5/10/2026, 2:22:10 PM
Views: 291
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.