Description
libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219.
Published: 2026-06-21
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because libexpat before version 2.8.2 fails to consider XML_TOK_DATA_CHARS when processing CDATA sections, which bypasses handler call depth tracking. This omission can result in a use‑after‑free condition (CWE‑416) and a failure to correctly track handler depth can also lead to heap corruption (CWE‑825). An attacker capable of supplying crafted XML that triggers a policy violation can trigger the use‑after‑free, potentially corrupting heap memory. The direct impact may include application crashes; arbitrary code execution is inferred based on typical use‑after‑free outcomes but is not explicitly stated in the CVE.

Affected Systems

The libexpat library from the libexpat project, in any installation using a version older than 2.8.2, is affected. The library is frequently embedded in applications and operating systems for XML parsing, implying potential widespread impact – an inference.

Risk and Exploitability

The CVSS score of 4.9 places the vulnerability in the low-to-moderate range, and the EPSS score is not available while it is not listed in KEV, indicating no known active exploitation. The presence of a use‑after‑free condition means that an attacker who can supply malicious XML could exploit the flaw. The exploitation might lead to heap corruption, which could result in crashes or, as inferred, run arbitrary code, although no active attacks have been recorded. The likely attack vector involves providing malicious XML input to a vulnerable application that uses libexpat before 2.8.2.

Generated by OpenCVE AI on June 23, 2026 at 14:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the libexpat library to version 2.8.2 or newer, which includes the depth tracking fix
  • Apply the patch from the libexpat project (pull request 1278) if an official upgrade is not available from your distribution
  • Restrict or sanitize XML input from untrusted sources and consider disabling XML parsing that triggers policy violations until the patch is deployed

Generated by OpenCVE AI on June 23, 2026 at 14:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Use-After-Free Vulnerability in libexpat Due to Missing Depth Tracking libexpat: libexpat: Use-after-free vulnerability due to improper handling of XML CDATA sections
Weaknesses CWE-825
References
Metrics threat_severity

None

threat_severity

Moderate


Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title Use-After-Free Vulnerability in libexpat Due to Missing Depth Tracking

Sun, 21 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219.
First Time appeared Libexpat Project
Libexpat Project libexpat
Weaknesses CWE-416
CPEs cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*
Vendors & Products Libexpat Project
Libexpat Project libexpat
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}


Subscriptions

Libexpat Project Libexpat
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-22T16:31:06.166Z

Reserved: 2026-06-21T15:58:58.955Z

Link: CVE-2026-56412

cve-icon Vulnrichment

Updated: 2026-06-22T16:31:02.986Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-21T15:58:59Z

Links: CVE-2026-56412 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T14:15:04Z

Weaknesses