Report an incident
Back
  • About us
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy Bezpieczny telefon
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Tools
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerability in libxml2 software
29 June 2026 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2026-11979
Publication date 29 June 2026
Vendor xmlsoft
Product libxml2
Vulnerable versions All through 2.15.3
Vulnerability type (CWE) Stack-based Buffer Overflow (CWE-121)
Report source Report to CERT Polska

Description

CERT Polska has received a report about vulnerability in xmlsoft libxml2 software and participated in coordination of its disclosure.

The vulnerability CVE-2026-11979: libxml2 is vulnerable to multiple stack-based buffer overflows in the xmlcatalog utility when running in --shell mode. The usershell() function processes user input using fixed-size stack buffers without proper bounds checking. By supplying an overly long input line, an attacker can overflow internal buffers (command, arg, and argv) during input parsing. This results in memory corruption within the stack frame. Successful exploitation may cause a crash or potentially allow arbitrary code execution in the context of the xmlcatalog process.

This issue has been fixed in the commit c2e233fc.

NOTE: The maintainers of this project did not agree that this issue is a vulnerability and considered it a bug.

Credits

We thank Michal Majchrowicz and Marcin Wyczechowski (AFINE) for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.