The flaw exists in Perl's XML::Parser up to version 2.45, where the decoded characters returned by Perl's read() do not match the raw UTF‑8 bytes held by SvPV(). This mismatch allows parse_stream() to overrun its allocated buffer, corrupting the heap and causing a double free or other memory corruption. The resulting crashes are a classic buffer‑overflow problem classified under CWE‑122, CWE‑131, and CWE‑176, with a CVSS score of 9.8 that signals a critical risk to confidentiality, integrity, and availability.

The vulnerability affects the XML::Parser module from the TODDR project, specifically versions 2.45 and earlier. It impacts any Perl installation that uses this library to parse XML streams, regardless of the underlying operating system or environment. The product is identified by the CPE as a Perl module for XML parsing.

The CVSS rating of 9.8 highlights a severe denial‑of‑service potential. EPSS indicates the likelihood of exploitation is below 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been documented. Based on the description, it is inferred that the attack vector involves delivering specially crafted XML input to the parse_stream() call, which is commonly exposed in Perl applications that accept external XML. An attacker with access to such input could trigger the heap corruption and cause the consuming process to crash, potentially affecting services or systems running with elevated privileges. The overall risk is high, though the current probability of exploitation remains low.