A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.

The version of libxml2 installed on the remote host is prior to 2.9.1-6. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3144 advisory.

    A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in     the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references     itself. A remote attacker could exploit this configuration-dependent issue by providing a specially     crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a     segmentation fault, causing a Denial of Service (DoS) by crashing affected applications. (CVE-2026-0990)

    A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when     processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream     catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to     redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application     availability, resulting in a denial-of-service condition. (CVE-2026-0992)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1396 advisory.

    A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in     the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references     itself. A remote attacker could exploit this configuration-dependent issue by providing a specially     crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a     segmentation fault, causing a Denial of Service (DoS) by crashing affected applications. (CVE-2026-0990)

    A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when     processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream     catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to     redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application     availability, resulting in a denial-of-service condition. (CVE-2026-0992)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7974-1 advisory.

    It was discovered that libxml2 incorrectly handled maliciously crafted SGML catalog files. An attacker     could possibly use this issue to cause libxml2 to consume excessive resources, leading to a denial of     service. (CVE-2025-8732)

    It was discovered that libxml2 incorrectly handled recursive include directories with the RelaxNG parser.
    An attacker could possibly use this issue to cause libxml2 to consume excessive resources, leading to a     denial of service. (CVE-2026-0989)

    Nick Wellnhofer discovered that libxml2 incorrectly parsed catalogs with self-referencing URI delegates.
    An attacker could possibly use this issue to cause libxml2 to consume excessive resources, leading to a     denial of service. (CVE-2026-0990)

    Nick Wellnhofer discovered that libxml2 inefficiently parsed catalogs linked with repeating nextCatalog     elements. An attacker could possibly use this issue to cause libxml2 to use excessive resources, leading     to a denial of service. (CVE-2026-0992)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when     processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream     catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to     redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application     availability, resulting in a denial-of-service condition. (CVE-2026-0992)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
298135	Amazon Linux 2 : libxml2, --advisory ALAS2-2026-3144 (ALAS-2026-3144)	Nessus	Amazon Linux Local Security Checks	medium
298081	Amazon Linux 2023 : libxml2, libxml2-devel, libxml2-static (ALAS2023-2026-1396)	Nessus	Amazon Linux Local Security Checks	medium
296249	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 : libxml2 vulnerabilities (USN-7974-1)	Nessus	Ubuntu Local Security Checks	medium
286281	Linux Distros Unpatched Vulnerability : CVE-2026-0992	Nessus	Misc.	low

Detections

Analytics

CVE-2026-0992

low

Tenable Plugins

medium

medium

medium

low