CVE-2026-1757

Published: Feb 2, 2026Modified: Apr 22, 2026Deferred

6.2

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 2.5 / Impact: 3.6

Source: secalert@redhat.com (Secondary)

Description

A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.

Related CWEs

CWE-401

Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

References (4)

https://access.redhat.com/errata/RHSA-2026:7519

Source: secalert@redhat.com

https://access.redhat.com/security/cve/CVE-2026-1757

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2435940

Source: secalert@redhat.com

https://gitlab.gnome.org/GNOME/libxml2/-/issues/1009

Source: secalert@redhat.com

Timeline

No history available yet.