libxml2 is vulnerable to multiple stack-based buffer overflows in the xmlcatalog utility when running in --shell mode. The usershell() function processes user input using fixed-size stack buffers without proper bounds checking. By supplying an overly long input line, an attacker can overflow internal buffers (command, arg, and argv) during input parsing. This results in memory corruption within the stack frame. Successful exploitation may cause a crash or potentially allow arbitrary code execution in the context of the xmlcatalog process. This issue has been fixed in the commit c2e233fc. NOTE: The maintainers of this project did not agree that this issue is a vulnerability and considered it a bug.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
libxml2's xmlcatalog utility contains a critical stack-based buffer overflow vulnerability in its interactive shell mode. The usershell() function fails to validate input length before copying user-supplied data into fixed-size stack buffers (command, arg, and argv), allowing attackers to overflow these buffers with specially crafted input. This vulnerability affects any system running vulnerable versions of libxml2 with xmlcatalog exposed, particularly in automated processing environments, CI/CD pipelines, and systems that parse XML catalogs as part of their workflow. With a CVSS score of 7.8, successful exploitation can lead to denial of service through application crashes or potentially arbitrary code execution, making it a significant threat to system integrity.
While this CVE currently has zero mapped MITRE ATT&CK techniques and matches no existing Casky skills, practitioners using Casky's Claude-powered analysis would benefit from the platform's extended reasoning capabilities to detect the attack patterns this vulnerability enables. Detection would focus on identifying stack corruption indicators: unusual process crashes in xmlcatalog or dependent applications, abnormal memory access patterns during XML catalog processing, and stack frame manipulation attempts. As threat actors develop exploitation techniques, Casky's skill expansion would map this to techniques like T1190 (Exploit Public-Facing Application) and potentially T1059 (Command and Scripting Interpreter) if remote execution is achieved. Practitioners should monitor for suspicious xmlcatalog invocations with unusually long arguments and implement input validation monitoring across their XML processing pipelines.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-11979. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation