CVE-2026-11979
Publication date 29 June 2026
Last updated 7 July 2026
Ubuntu priority
Cvss 3 Severity Score
Description
libxml2 is vulnerable to multiple stack-based buffer overflows in the xmlcatalog utility when running in --shell mode. The usershell() function processes user input using fixed-size stack buffers without proper bounds checking. By supplying an overly long input line, an attacker can overflow internal buffers (command, arg, and argv) during input parsing. This results in memory corruption within the stack frame. Successful exploitation may cause a crash or potentially allow arbitrary code execution in the context of the xmlcatalog process. This issue has been fixed in the commit c2e233fc. NOTE: The maintainers of this project did not agree that this issue is a vulnerability and considered it a bug.
Read the notes from the security team
Why is this CVE negligible priority?
This is only a crash in a command line tool with no security impact.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libxml2 | 26.04 LTS resolute | Ignored see notes |
| 25.10 questing | Ignored see notes | |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| 14.04 LTS trusty | Ignored see notes |
Notes
mdeslaur
Compiler hardening on Ubuntu renders this a denial of service issue only. This is only a denial of service when specifying long command lines to a command line tool. This has no security impact. The libxml2 developer does not consider this to be a security issue. We will not be fixing this issue in Ubuntu. Marking as ignored.
Severity score breakdown
CVSS version:
Base score
1.8 · Low
Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:L/SI:L/SA:N
Base score
7.8 · High
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H