Libexpat CVE-2026-25210
MEDIUMCVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
3DescriptionNVD
In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.
AnalysisAI
Libexpat versions before 2.7.4 are vulnerable to integer overflow in the doContent function during tag buffer reallocation, enabling local attackers with no privileges to achieve high-impact confidentiality and integrity violations. The flaw stems from missing overflow validation when calculating buffer sizes, allowing memory corruption that could lead to information disclosure or code execution. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 30 days: Identify affected systems running libexpat and apply vendor patches as part of regular patch cycle. Vendor patch is available.
Sign in for detailed remediation steps.
More from same product – last 7 days
Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today