Description
xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations.
Published: 2026-06-21
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

xmlwf, the XML writer used in the libexpat library, contains an integer overflow bug in the endDoctypeDecl routine when processing NOTATION declarations. The overflow can corrupt internal counters and may lead to buffer overrun or other memory corruption, which could compromise the integrity of the application parsing the XML. The bug is not an immediate remote code execution flaw, but it can be leveraged by an attacker who supplies a crafted XML document to cause application instability or create an opportunity for more complex exploitation.

Affected Systems

The vulnerability affects the libexpat project’s libexpat library in all releases prior to 2.8.2. Any software that links against that library and parses XML containing NOTATION declarations is potentially impacted, including embedded processors, web servers, and application frameworks that include libexpat.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, and the EPSS score is not available, so the exact likelihood of exploitation is unclear. The vulnerability is not listed in the CISA KEV catalog, suggesting no mass exploitation has been reported. The likely attack vector requires an attacker to supply malicious XML input that is processed by the vulnerable library, which may be possible in remote or local contexts depending on the application's exposure to untrusted data.

Generated by OpenCVE AI on June 21, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libexpat to version 2.8.2 or newer, which contains a fixed implementation of endDoctypeDecl.
  • Recompile all dependent applications with the updated library to ensure the fix is active.
  • If an immediate upgrade is infeasible, configure applications to disable XML NOTATION declarations or restrict XML parsing to trusted sources as a temporary mitigation.

Generated by OpenCVE AI on June 21, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Integer Overflow in XML Notation Declaration Parsing expat: libexpat: Integer Overflow Vulnerability Leading to Information Disclosure or Code Execution
References
Metrics threat_severity

None

threat_severity

Moderate


Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Title Integer Overflow in XML Notation Declaration Parsing

Sun, 21 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations.
First Time appeared Libexpat Project
Libexpat Project libexpat
Weaknesses CWE-190
CPEs cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*
Vendors & Products Libexpat Project
Libexpat Project libexpat
References
Metrics cvssV3_1

{'score': 6.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L'}


Subscriptions

Libexpat Project Libexpat
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-22T16:31:30.518Z

Reserved: 2026-06-21T15:56:42.365Z

Link: CVE-2026-56411

cve-icon Vulnrichment

Updated: 2026-06-22T16:31:27.615Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-21T15:56:42Z

Links: CVE-2026-56411 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-21T19:30:16Z

Weaknesses
  • CWE-190

    Integer Overflow or Wraparound