oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2026-8177: XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences

From: Stig Palmquist <stig () stig io>
Date: Sun, 10 May 2026 22:55:28 +0200
========================================================================
CVE-2026-8177                                        CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-8177
  Distribution:  XML-LibXML
      Versions:  through 2.0210

      MetaCPAN:  https://metacpan.org/dist/XML-LibXML
      VCS Repo:  https://github.com/cpan-authors/XML-LibXML


XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap
memory when parsing XML node names containing truncated UTF-8 byte
sequences

Description
-----------
XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap
memory when parsing XML node names containing truncated UTF-8 byte
sequences.

A node name ending in the middle of a multi byte UTF-8 sequence causes
the parser to read past the end of the input string into adjacent heap
memory.

Any Perl process that passes attacker controlled strings to
XML::LibXML's DOM node-name methods can reach this path on the default
API. The likely consequence is a crash, causing denial of service.

Problem types
-------------
- CWE-125 Out-of-bounds Read

Solutions
---------
Upgrade to a future XML::LibXML release, or apply the upstream patch.


References
----------
https://github.com/cpan-authors/XML-LibXML/issues/146
https://github.com/cpan-authors/XML-LibXML/commit/15652bd905a6c9dda59a81b14d4766adbbae2ea8.patch

Timeline
--------
- 2026-05-08: Upstream fix merged.
Previous By Date Next
Previous By Thread Next

Current thread: