Bug 2494690

Summary: CVE-2026-11979 mingw-libxml2: libxml2: Arbitrary code execution in xmlcatalog utility via buffer overflow [epel-all]
Product: [Fedora] Fedora EPEL Reporter: Jon Moroney <jmoroney>
Component: mingw-libxml2Assignee: Richard W.M. Jones <rjones>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: epel10CC: epel-packagers-sig, rjones
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: {"flaws": ["0fb04d31-b419-4aff-96c6-b4eca863f51a"]}
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2494191    

Description Jon Moroney 2026-06-29 21:04:56 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

libxml2 is vulnerable to multiple stack-based buffer overflows in the xmlcatalog utility when running in --shell mode. The usershell() function processes user input using fixed-size stack buffers without proper bounds checking.
By supplying an overly long input line, an attacker can overflow internal buffers (command, arg, and argv) during input parsing. This results in memory corruption within the stack frame.
Successful exploitation may cause a crash or potentially allow arbitrary code execution in the context of the xmlcatalog process.

This issue has been fixed in the commit c2e233fc.

NOTE:
The maintainers of this project did not agree that this issue is a vulnerability and considered it a bug.