Description
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers in cases of a policy violation. Thus, a use-after-free can occur (similar to the CVE-2026-50219 situation).
Published: 2026-06-19
Score: 4.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In libexpat, prior to version 2.8.2, the library does not track handler call depth when XML_ResumeParser is invoked inside XML handlers after a policy violation. When a handler calls XML_ResumeParser, the internal parser context may reference freed memory, giving rise to a use‑after‑free condition. An attacker who can supply crafted XML that triggers a policy violation and then causes the parser to resume is able to corrupt memory, potentially leading to arbitrary code execution.

Affected Systems

The vulnerability affects libexpat, the XML parsing library developed by the libexpat project, on all releases older than 2.8.2. No specific distribution masks are identified; any system that links against an affected libexpat binary is at risk.

Risk and Exploitability

The CVSS score of 4.9 indicates a moderate vulnerability. No EPSS score is available and the issue is not listed in CISA KEV, suggesting that a public exploit has not yet been documented. The implied attack vector is local or remote XML processing—any environment that feeds untrusted XML to the vulnerable library could be used by an attacker to trigger the use-after-free. While exploitation is not guaranteed, the potential for memory corruption and code execution warrants timely remediation.

Generated by OpenCVE AI on June 19, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest libexpat release (2.8.2 or newer) to replace the affected code
  • Audit applications that link against libexpat to confirm that only a fixed version is used
  • If an upgrade cannot be performed immediately, reconfigure those applications so that XML_ResumeParser is not called after a policy violation (for example, avoid resuming on error or disable the function in trusted contexts)
  • Monitor application logs and runtime behavior for signs of memory corruption or crashes that could indicate exploitation attempts

Generated by OpenCVE AI on June 19, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
Title Use-After-Free in libexpat's XML_ResumeParser Call Depth Tracking

Fri, 19 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Description libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers in cases of a policy violation. Thus, a use-after-free can occur (similar to the CVE-2026-50219 situation).
First Time appeared Libexpat Project
Libexpat Project libexpat
Weaknesses CWE-416
CPEs cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*
Vendors & Products Libexpat Project
Libexpat Project libexpat
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Libexpat Project Libexpat
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-19T02:56:36.041Z

Reserved: 2026-06-19T02:56:35.597Z

Link: CVE-2026-56131

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T06:00:05Z

Weaknesses