Skip to main content

libxml2 CVE-2026-11979

| EUVDEUVD-2026-40092 LOW
Stack-based Buffer Overflow (CWE-121)
2026-06-29 CERT-PL GHSA-h67q-h62w-5mjr
1.8
CVSS 4.0 · Vendor: CERT-PL

Severity by source

Vendor (CERT-PL) PRIMARY
1.8 LOW
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.3 LOW

Local vector with no privileges required to run xmlcatalog; user must actively invoke --shell mode (UI:R); impact is limited to process crash (A:L) within the unchanged xmlcatalog process scope.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
4.0 AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (CERT-PL).

CVSS VectorVendor: CERT-PL

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 14:31 vuln.today

DescriptionCVE.org

libxml2 is vulnerable to multiple stack-based buffer overflows in the xmlcatalog utility when running in --shell mode. The usershell() function processes user input using fixed-size stack buffers without proper bounds checking. By supplying an overly long input line, an attacker can overflow internal buffers (command, arg, and argv) during input parsing. This results in memory corruption within the stack frame. Successful exploitation may cause a crash or potentially allow arbitrary code execution in the context of the xmlcatalog process.

This issue has been fixed in the commit c2e233fc.

NOTE: The maintainers of this project did not agree that this issue is a vulnerability and considered it a bug.

AnalysisAI

Stack-based buffer overflows in libxml2's xmlcatalog utility enable memory corruption and potential arbitrary code execution when the tool is invoked in its interactive --shell mode. The usershell() function writes user-supplied input into fixed-size stack buffers (command, arg, argv) without any length validation, allowing overflow of adjacent stack memory including return addresses. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local system access
Delivery
Invoke xmlcatalog --shell mode
Exploit
Supply oversized input string
Execution
Overflow stack buffers in usershell()
Persist
Corrupt stack frame and return address
Impact
Crash process or redirect execution

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker or victim explicitly invoke the xmlcatalog utility with the --shell flag to enter interactive shell mode - this is a non-default, non-automated invocation that is not triggered during any normal XML processing workflow or library API call. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 1.8 (AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:L/SI:L/SA:N) places this at the lowest practical severity tier. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user on a Linux system runs xmlcatalog with the --shell flag to enter interactive mode, then supplies or pipes an excessively long input string, overflowing the fixed-size command/arg/argv buffers in usershell() and corrupting the stack frame. On systems without effective stack canaries or with exploitable memory layouts, this could permit a ROP-chain or shellcode execution within the xmlcatalog process context; on hardened systems, the realistic outcome is a process crash. …
Remediation The upstream fix is available as GitLab commit c2e233fc (https://gitlab.gnome.org/GNOME/libxml2/-/commit/c2e233fc1b341685fc99621b2768b503f777a72e); a formally tagged patched release version has not been confirmed from available data - monitor the libxml2 GNOME GitLab repository for a tagged release incorporating this commit and apply it once available. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-6021 HIGH POC
7.5 Jun 12

Stack-based buffer overflow in libxml2's xmlBuildQName function allows remote unauthenticated attackers to crash affecte

CVE-2016-4658 CRITICAL
9.8 Sep 25

xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS befor

CVE-2016-1762 HIGH POC
8.1 Mar 24

The xmlNextChar function in libxml2 before 2.9.4 allows remote attackers to cause a denial of service (heap-based buffer

CVE-2016-1834 HIGH POC
7.8 May 20

Heap-based buffer overflow in the xmlStrncat function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X b

CVE-2016-1840 HIGH POC
7.8 May 20

Heap-based buffer overflow in the xmlFAParsePosCharGroup function in libxml2 before 2.9.4, as used in Apple iOS before 9

CVE-2017-9047 HIGH POC
7.5 May 18

A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. Rated high severity (CVSS 7.5), this vulnerabil

CVE-2016-4447 HIGH POC
7.5 Jun 09

The xmlParseElementDecl function in parser.c in libxml2 before 2.9.4 allows context-dependent attackers to cause a denia

CVE-2017-16932 HIGH
7.5 Nov 23

parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities. Rated high severity (CVSS 7.

CVE-2016-4483 HIGH POC
7.5 Apr 11

The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial

CVE-2013-1969 HIGH POC
7.5 Apr 25

Multiple use-after-free vulnerabilities in libxml2 2.9.0 and possibly other versions might allow context-dependent attac

CVE-2016-1839 MEDIUM POC
5.5 May 20

The xmlDictAddString function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS befo

CVE-2016-1838 MEDIUM POC
5.5 May 20

The xmlPArserPrintFileContextInternal function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 1

Share

CVE-2026-11979 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy