Description
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,
Published: 2026-06-04
Score: 4.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The libexpat XML parser before version 2.8.2 does not maintain proper depth tracking for handler‑invoked calls when a policy violation occurs, allowing a use‑after‑free vulnerability. This flaw is classified as CWE‑416 and can corrupt memory, potentially enabling code execution or other compromise, as reflected in its CVSS score of 4.9.

Affected Systems

The vulnerability affects the libexpat project’s XML parsing library in all releases older than 2.8.2. Executables or services that link against these versions and parse XML from untrusted sources are potentially exposed to the flaw.

Risk and Exploitability

With a moderate CVSS score and no EPSS data, the likelihood of exploitation is uncertain, though the vulnerability is not yet listed in the CISA KEV catalog. The most likely attack vector involves an attacker delivering a crafted XML document that triggers the erroneous handler calls within the parser, leading to a use‑after‑free condition.

Generated by OpenCVE AI on June 4, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade or replace libexpat with version 2.8.2 or later.
  • Ensure that any XML parsing logic does not call XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handler callbacks during policy violations.
  • Apply security testing to validate that XML inputs cannot trigger a use‑after‑free in the parser.

Generated by OpenCVE AI on June 4, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in libexpat XML Parser Due to Missing Call Depth Tracking

Thu, 04 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
Description libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,
First Time appeared Libexpat Project
Libexpat Project libexpat
Weaknesses CWE-416
CPEs cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*
Vendors & Products Libexpat Project
Libexpat Project libexpat
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Libexpat Project Libexpat
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-04T04:23:59.788Z

Reserved: 2026-06-04T04:20:31.953Z

Link: CVE-2026-50219

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T06:16:25.050

Modified: 2026-06-04T06:16:25.050

Link: CVE-2026-50219

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T06:30:07Z

Weaknesses