The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-0989

CVE-2026-0989: libxml2 RelaxNG Parser DoS Vulnerability

CVE-2026-0989 is a denial-of-service flaw in libxml2's RelaxNG parser caused by unbounded recursion in nested schema inclusions. Attackers can trigger stack exhaustion and crash applications. This article covers technical details, affected versions, impact, and mitigation.

Published: January 23, 2026

CVE-2026-0989 Overview

A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.

Critical Impact

Uncontrolled recursion in the libxml2 RelaxNG parser can lead to stack exhaustion and application crashes when processing maliciously crafted XML schemas with deeply nested include directives.

Affected Products

  • libxml2 (versions with RelaxNG parser support)

Discovery Timeline

  • 2026-01-15 - CVE CVE-2026-0989 published to NVD
  • 2026-01-16 - Last updated in NVD database

Technical Details for CVE-2026-0989

Vulnerability Analysis

This vulnerability (CWE-674: Uncontrolled Recursion) exists in the RelaxNG schema validation component of libxml2. The root issue stems from the parser's handling of external schema inclusions through <include> directives. When the RelaxNG parser encounters an <include> element, it recursively processes the referenced schema file. However, there is no mechanism to limit or track the depth of these recursive inclusions.

An attacker can exploit this by crafting a RelaxNG schema file that contains nested include directives, either through circular references (schema A includes schema B which includes schema A) or through deeply nested chains of schema files. When the parser attempts to resolve these inclusions, it will continue recursing until the call stack is exhausted.

The attack can be carried out over the network against any application that processes user-supplied RelaxNG schemas or validates XML documents against untrusted schemas. The impact is limited to denial of service through application crashes, with no direct path to code execution or data compromise.

Root Cause

The RelaxNG parser implementation in libxml2 lacks a recursion depth counter or cycle detection mechanism when processing <include> directives. This allows schema files to reference other schemas indefinitely without any bounds checking, ultimately consuming all available stack space and causing the application to crash with a stack overflow exception.

Attack Vector

The vulnerability can be exploited remotely by providing a maliciously crafted RelaxNG schema to an application that uses libxml2 for XML validation. The attacker would need to supply a schema file (or set of schema files) containing recursive or deeply nested include directives. When the target application attempts to parse or validate against these schemas, the uncontrolled recursion occurs. While the attack complexity is considered high due to the specific conditions required, no authentication or user interaction is needed to trigger the vulnerability.

The vulnerability mechanism can be understood through the following scenario: a RelaxNG schema file references an external schema via an <include> directive, which in turn includes another schema, creating either a circular reference loop or an excessively deep chain of inclusions. The parser follows each include without maintaining a depth counter, eventually exhausting the call stack. For detailed technical analysis, refer to the Red Hat CVE-2026-0989 Advisory and Red Hat Bug Report #2429933.

Detection Methods for CVE-2026-0989

Indicators of Compromise

  • Application crashes or unexpected terminations during XML schema validation operations
  • Stack overflow errors in logs associated with libxml2 or RelaxNG parsing functions
  • Abnormally high CPU utilization during XML processing followed by sudden process termination
  • Repeated segmentation faults in applications using libxml2 for schema validation

Detection Strategies

  • Monitor application logs for stack overflow exceptions or segmentation faults related to XML parsing routines
  • Implement application-level monitoring for unusually long processing times during schema validation
  • Deploy SentinelOne Singularity Platform to detect and respond to process crashes and anomalous behavior patterns
  • Review incoming XML schemas for suspicious include directive patterns before processing

Monitoring Recommendations

  • Enable verbose logging for XML parsing operations to capture details about include directive resolution
  • Set up alerts for repeated application crashes in services that process XML with RelaxNG validation
  • Monitor resource consumption (stack memory, CPU) during XML validation operations
  • Implement watchdog processes to detect and recover from parser hangs or crashes

How to Mitigate CVE-2026-0989

Immediate Actions Required

  • Audit applications using libxml2 to identify those that process untrusted RelaxNG schemas
  • Implement schema validation in sandboxed environments with resource limits to contain potential crashes
  • Consider disabling RelaxNG schema support if not required by your application
  • Apply vendor patches as they become available from your operating system or libxml2 distribution

Patch Information

No official patch information is available at this time. Organizations should monitor the Red Hat CVE-2026-0989 Advisory for updates on patch availability. Subscribe to security mailing lists from your Linux distribution vendor for notification when patches are released.

Workarounds

  • Restrict the source of RelaxNG schemas to trusted, pre-validated schema files only
  • Implement process-level resource limits using ulimit or container cgroups to restrict stack size and prevent runaway recursion
  • Run XML validation processes in isolated sandboxes with automatic restart capabilities
  • Consider using alternative XML validation libraries or disabling external schema references where possible
bash
# Configuration example - Set stack size limits for processes using libxml2
# Add to application startup script or systemd service file

# Limit stack size to 8MB to prevent runaway recursion from consuming all memory
ulimit -s 8192

# For systemd services, add to the [Service] section:
# LimitSTACK=8388608

# For containerized applications, set resource limits in your container configuration
# Example Docker run command with stack limit:
# docker run --ulimit stack=8388608:8388608 your-xml-processing-app

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechLibxml2
  • SeverityLOW
  • CVSS Score3.7
  • EPSS Probability0.06%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
  • Impact Assessment
  • ConfidentialityHigh
  • IntegrityNone
  • AvailabilityLow
  • CWE References
  • CWE-674
  • Technical References
  • Red Hat CVE-2026-0989 Advisory
  • Red Hat Bug Report #2429933
  • Related CVEs
  • CVE-2026-1757: xmllint libxml2 DoS Vulnerability
  • CVE-2026-0990: libxml2 Denial of Service Vulnerability
  • CVE-2026-0992: libxml2 Library DoS Vulnerability
  • CVE-2020-7595: Xmlsoft Libxml2 DOS Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English