Primary

Context

libxml2 Uncontrolled Recursion Vulnerability in xmlcatalog Component

Vulnerability

A vulnerability allowing uncontrolled recursion has been identified in libxml2 versions through 2.14.5. This issue arises in the xmlcatalog component, specifically within the xmlParseSGMLCatalog function. The vulnerability can be triggered by processing untrusted SGML catalogs, leading to excessive resource consumption and application crashes. Although an exploit is publicly available, the existence of this vulnerability is currently disputed.

Impact

Exploitation of this vulnerability causes a stack overflow, leading to a crash of the application.

Reproduction

The vulnerability can be reproduced by using the xmlcatalog tool with the '--sgml --shell --create --add' options, along with a crafted SGML catalog file that exploits the recursion issue. This causes the xmlExpandCatalog and xmlParseSGMLCatalog functions to call each other repeatedly, without termination, until the stack memory is exhausted, resulting in a crash.

Added: Aug 8, 2025, 5:17 PM

Updated: Aug 8, 2025, 5:17 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.6

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.6

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

libxml2 Uncontrolled Recursion Vulnerability in xmlcatalog Component

Vulnerability

Impact

Reproduction

Affected Products

GNOME libxml2

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating