Bug 2461300 (CVE-2026-6732)

Summary: CVE-2026-6732 libxml2: libxml2: Denial of Service via crafted XSD-validated document
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: caswilli, crizzo, csutherl, jclere, jmitchel, kaycoth, kshier, pbohmill, pjindal, plodge, rhel-process-autobot, stcannon, szappis, teagle, vchlup, watson-tool-maintainers, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-04-23 22:09:03 UTC
xmlParseReference in parser.c passes ctxt instead of ctxt->userData to the SAX characters / cdataBlock callbacks when emitting the first or last text child of a cached entity tree (parser.c). Every other SAX callsite in the same file correctly passes ctxt->userData.

When xmlSchemaSAXPlug is active, which is the case for every user of xmlTextReaderSetSchema / xmlTextReaderSchemaValidate and for lxml's XMLParser(schema=...), ctxt->userData has been swapped to a _xmlSchemaSAXPlug *. Handing the confused charactersSplit handler a raw xmlParserCtxt * causes it to dereference ctxt->myDoc as the forwarded SAX handler and call myDoc->URL as a function pointer, producing a reliable SIGSEGV on the first internal-entity reference in any XSD-validated document. If myDoc->URL is NULL, the secondary path (xmlSchemaSAXHandleText with a garbage plug pointer) crashes instead.