Description
In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.
Published: 2026-01-30
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure and Data Integrity
Action: Patch
AI Analysis

Impact

A flaw in libexpat’s doContent function allows an integer overflow during tag buffer reallocation, which can expose internal memory contents or corrupt data. The weakness stems from the lack of a bounds check when determining the buffer size, and it is classified as a CWE-190 overflow.

Affected Systems

The vulnerability affects the libexpat project’s libexpat library on any version prior to 2.7.4. Applications that embed or link against these older releases may be impacted.

Risk and Exploitability

The CVSS base score of 6.9 indicates medium severity. An EPSS score of less than 1% suggests a very low probability of exploitation at the time of analysis, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker could craft malicious XML input that triggers the overflow during buffer reallocation when processed by libexpat, potentially leading to information disclosure or data corruption. The attack could originate either locally or remotely, depending on where the XML is accepted.

Generated by OpenCVE AI on April 18, 2026 at 14:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libexpat to version 2.7.4 or later to eliminate the integer overflow and enforce proper bounds checking.
  • If an upgrade is not immediately possible, enforce strict size limits on XML input or implement custom validation to ensure that tags do not exceed a safe threshold before passing data to libexpat.
  • Deploy runtime bounds checking or sanitizers, such as AddressSanitizer or Valgrind, during development and testing to detect potential overflows and prevent exploitation in production.

Generated by OpenCVE AI on April 18, 2026 at 14:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 31 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Title libexpat: libexpat: Information disclosure and data integrity issues due to integer overflow in buffer reallocation
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 30 Jan 2026 07:15:00 +0000

Type Values Removed Values Added
Description In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.
First Time appeared Libexpat Project
Libexpat Project libexpat
Weaknesses CWE-190
CPEs cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*
Vendors & Products Libexpat Project
Libexpat Project libexpat
References
Metrics cvssV3_1

{'score': 6.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Libexpat Project Libexpat
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-30T03:55:58.137Z

Reserved: 2026-01-30T06:40:27.642Z

Link: CVE-2026-25210

cve-icon Vulnrichment

Updated: 2026-02-03T15:53:38.257Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-30T07:16:15.570

Modified: 2026-03-10T18:17:12.780

Link: CVE-2026-25210

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-30T06:40:27Z

Links: CVE-2026-25210 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:45:03Z

Weaknesses