CVE-2026-0990 is a vulnerability identified in the libxml2 XML parsing library, specifically affecting Red Hat Enterprise Linux 10. The flaw exists in the xmlCatalogXMLResolveURI function, which processes XML catalogs containing delegate URI entries. When an XML catalog includes a delegate URI that references itself, the function enters uncontrolled recursion, leading to call stack exhaustion. This results in a segmentation fault that crashes the affected application, causing a Denial of Service (DoS). The vulnerability is configuration-dependent, requiring the presence of a self-referencing delegate URI in the XML catalog, which an attacker can supply remotely by providing a specially crafted XML catalog. The CVSS 3.1 score is 5.9 (medium severity), reflecting a network attack vector with no privileges or user interaction required but high attack complexity due to the specific XML catalog setup needed. The impact is limited to availability, with no direct effect on confidentiality or integrity. No known exploits have been reported in the wild, but the vulnerability poses a risk to applications relying on libxml2 for XML processing, particularly those exposed to untrusted XML inputs. The vulnerability highlights the importance of validating and sanitizing XML catalogs and applying patches promptly once released by Red Hat.

For European organizations, this vulnerability primarily threatens the availability of systems running Red Hat Enterprise Linux 10 that utilize libxml2 for XML processing. Critical services that parse XML catalogs could be disrupted by crafted inputs, leading to application crashes and potential service outages. This can affect web servers, middleware, and other enterprise applications relying on XML for configuration or data exchange. The DoS condition could be exploited to degrade service availability, impacting business continuity and operational stability. While the vulnerability does not compromise data confidentiality or integrity, the disruption of services can have cascading effects, especially in sectors like finance, healthcare, and government where uptime is crucial. Organizations with automated XML processing workflows or exposed XML interfaces are at higher risk. The medium severity rating suggests that while exploitation is not trivial, the potential for denial of service warrants timely mitigation to avoid operational impact.

1. Apply official patches from Red Hat as soon as they become available to address the vulnerability in libxml2. 2. Restrict and validate all XML catalog inputs, especially those originating from untrusted or external sources, to prevent maliciously crafted delegate URI entries. 3. Implement input sanitization and XML schema validation to detect and reject self-referencing delegate URIs or malformed XML catalogs. 4. Monitor application logs and system behavior for signs of segmentation faults or crashes related to XML processing. 5. Employ runtime protections such as stack canaries and address space layout randomization (ASLR) to reduce the impact of crashes. 6. Where feasible, isolate XML processing components in sandboxed environments to limit the blast radius of potential DoS attacks. 7. Educate developers and system administrators about the risks of XML catalog processing and encourage secure coding practices. 8. Consider alternative XML parsing libraries or updated versions that have addressed this vulnerability if patching is delayed.