CVE-2026-0989
LowCVSS 3.7Exploitation Probability (EPSS)
Low risk34th percentile — higher than 34% of all known CVEs
Summary
A flaw was found in the RelaxNG parser of libxml2 related to handling external schema inclusions. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives, which can cause excessive recursion. Specially crafted schemas may lead to stack exhaustion and application crashes.
Risk Assessment
An attacker can exploit this vulnerability to perform a Denial of Service (DoS) attack on applications using libxml2 to process RelaxNG schemas. This could result in service unavailability and system downtime.
Recommendation
Immediately update libxml2 to a version that includes a limit on schema inclusion depth. If an update is not possible, restrict access to processing untrusted RelaxNG schemas.
Original NVD description (English source)
A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.

