Description
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,
Published: 2026-06-04
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The libexpat XML parser before version 2.8.2 lacks proper depth tracking for handler‑invoked calls during a policy violation, permitting a use‑after‑free. This flaw is classified as CWE‑416 and CWE‑911 and can corrupt memory, as indicated by its CVSS score of 4.9.

Affected Systems

The vulnerability affects the libexpat project’s XML parsing library in all releases older than 2.8.2. Executables or services that link against these versions and parse XML from untrusted sources are potentially exposed to the flaw.

Risk and Exploitability

With a moderate CVSS score and an EPSS score of < 1 %, the likelihood of exploitation is low but not zero, and the vulnerability is not yet listed in the CISA KEV catalog. The most likely attack vector involves an attacker delivering a crafted XML document that triggers erroneous handler calls, resulting in a use‑after‑free that can corrupt memory.

Generated by OpenCVE AI on June 8, 2026 at 14:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to libexpat version 2.8.2 or later to remove the depth‑tracking defect.
  • If an upgrade is infeasible, restrict any XML processed from untrusted sources to validated, whitelisted schemas and avoid re‑entrant calls such as XML_GetBuffer or XML_Parse inside callbacks.
  • Audit application code that invokes XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handler callbacks and refactor to eliminate re‑entrancy or isolate the parser in a separate process.

Generated by OpenCVE AI on June 8, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in libexpat XML Parser Due to Missing Call Depth Tracking expat: libexpat: Use-after-free vulnerability due to improper handler call depth tracking
Weaknesses CWE-911
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in libexpat XML Parser Due to Missing Call Depth Tracking

Thu, 04 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
Description libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,
First Time appeared Libexpat Project
Libexpat Project libexpat
Weaknesses CWE-416
CPEs cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*
Vendors & Products Libexpat Project
Libexpat Project libexpat
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Libexpat Project Libexpat
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-04T12:36:14.744Z

Reserved: 2026-06-04T04:20:31.953Z

Link: CVE-2026-50219

cve-icon Vulnrichment

Updated: 2026-06-04T12:36:11.037Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T06:16:25.050

Modified: 2026-06-04T18:39:29.530

Link: CVE-2026-50219

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-04T04:20:32Z

Links: CVE-2026-50219 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T14:30:06Z

Weaknesses