Description
A vulnerability was determined in mxml up to 4.0.4. This issue affects the function index_sort of the file mxml-index.c of the component mxmlIndexNew. Executing a manipulation of the argument tempr can lead to stack-based buffer overflow. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called 6e27354466092a1ac65601e01ce6708710bb9fa5. A patch should be applied to remediate this issue.
Published: 2026-03-29
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Memory Corruption
Action: Apply Patch
AI Analysis

Impact

A stack‑based buffer overflow is triggered by a maliciously crafted value for the argument named "tempr" in the function index_sort within mxml-index.c of the mxml library. The flaw allows a local attacker to corrupt the stack, potentially causing a program crash or enabling local privilege escalation. The vulnerability is listed as CWE‑119 and CWE‑121, indicating a classic buffer overflow weakness. Because the flaw is confined to local execution, only an attacker able to run code on the affected system can exploit it, yet the impact could be severe if the process runs with elevated privileges.

Affected Systems

The mxml library, version 4.0.4 and earlier, is affected. The vulnerability resides in the mxmlIndexNew component. No additional vendor or product information is supplied, and patch status is identified by commit 6e27354466092a1ac65601e01ce6708710bb9fa5.

Risk and Exploitability

The CVSS base score is 4.8, reflecting a Moderate severity with an Access Vector limited to local. The EPSS score is not provided, and the vulnerability is not listed in CISA’s KEV catalog. An attacker must have local system access to execute the exploit, but the flaw has been publicly disclosed and demonstrated, raising the risk of exploitation in environments where mxml is deployed without an updated version.

Generated by OpenCVE AI on March 29, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from commit 6e27354466092a1ac65601e01ce6708710bb9fa5 or update mxml to a version newer than 4.0.4
  • Verify that the updated library no longer contains the exploitable index_sort function
  • If an update is not available, restrict local users from running affected applications or isolate the application in a sandboxed environment

Generated by OpenCVE AI on March 29, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Michaelrsweet
Michaelrsweet mxml
Vendors & Products Michaelrsweet
Michaelrsweet mxml

Sun, 29 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in mxml up to 4.0.4. This issue affects the function index_sort of the file mxml-index.c of the component mxmlIndexNew. Executing a manipulation of the argument tempr can lead to stack-based buffer overflow. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called 6e27354466092a1ac65601e01ce6708710bb9fa5. A patch should be applied to remediate this issue.
Title mxml mxmlIndexNew mxml-index.c index_sort stack-based overflow
Weaknesses CWE-119
CWE-121
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Michaelrsweet Mxml
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-01T14:32:02.218Z

Reserved: 2026-03-27T16:23:50.496Z

Link: CVE-2026-5037

cve-icon Vulnrichment

Updated: 2026-04-01T14:31:58.351Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-29T09:15:56.340

Modified: 2026-03-30T13:26:07.647

Link: CVE-2026-5037

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:58:32Z

Weaknesses