Description
XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences.

A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory.

Any Perl process that passes attacker controlled strings to XML::LibXML's DOM node-name methods can reach this path on the default API. The likely consequence is a crash, causing denial of service.
Published: 2026-05-10
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

XML::LibXML versions through 2.0210 for Perl contain an out‑of‑bounds heap memory read (CWE‑125) that occurs when the parser processes XML node names that contain a truncated UTF‑8 byte sequence. The bug causes the parser to read past the end of the input string into adjacent heap memory, leading to a crash of the Perl process. The likely consequence is a denial of service for any application that uses XML::LibXML’s DOM node‑name methods with attacker‑controlled input.

Affected Systems

The affected product is SHLOMIF’s Perl module XML::LibXML. Any installation of XML::LibXML version 2.0210 or earlier is vulnerable; newer releases are not affected.

Risk and Exploitability

The flaw does not involve direct code execution, but it allows a remote or local attacker who can supply crafted XML to cause a process crash, impacting availability. No CVSS score is listed, EPSS is not available and the vulnerability is not included in the CISA KEV catalog, so the exploitation likelihood is uncertain; however, the attack vector requires the target application to parse untrusted XML data, which is common in web services and data interchange scenarios.

Generated by OpenCVE AI on May 10, 2026 at 22:20 UTC.

Remediation

Vendor Solution

Upgrade to a future XML::LibXML release, or apply the upstream patch.

OpenCVE Recommended Actions

  • Upgrade XML::LibXML to a version newer than 2.0210
  • If an upgrade is not possible, apply the upstream patch provided at the vendor’s repository
  • Validate or sanitize any XML node names that come from untrusted sources and avoid passing them to the vulnerable node‑name APIs

Generated by OpenCVE AI on May 10, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 02:30:00 +0000

Type Values Removed Values Added
References

Mon, 11 May 2026 00:00:00 +0000

Type Values Removed Values Added
References

Sun, 10 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory. Any Perl process that passes attacker controlled strings to XML::LibXML's DOM node-name methods can reach this path on the default API. The likely consequence is a crash, causing denial of service.
Title XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences
Weaknesses CWE-125
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-11T01:36:04.021Z

Reserved: 2026-05-08T15:36:17.532Z

Link: CVE-2026-8177

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T21:16:30.003

Modified: 2026-05-11T02:16:26.750

Link: CVE-2026-8177

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T22:30:21Z

Weaknesses