Skip to main content

libexpat CVE-2026-50219

| EUVDEUVD-2026-34206 MEDIUM
Use After Free (CWE-416)
2026-06-04 mitre GHSA-v3cw-2f3g-f38x
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
SUSE
MEDIUM
qualitative
Red Hat
4.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Patch available
Jun 04, 2026 - 07:01 EUVD
Source Code Evidence Fetched
Jun 04, 2026 - 05:44 vuln.today
Analysis Generated
Jun 04, 2026 - 05:44 vuln.today

DescriptionCVE.org

libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,

AnalysisAI

Use-after-free in libexpat before 2.8.2 allows memory corruption, information disclosure, and potential code execution when prohibited API functions are called from within XML event handler callbacks. All libexpat consumers - including language bindings such as CPython's xml.parsers.expat - are affected when handler code (or attacker-influenced handler logic) invokes XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset in a re-entrant manner during active parsing. No public exploit code exists at time of analysis and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog, but the CPython project has an associated open issue (python/cpython#146169) indicating ecosystem-wide reach.

Technical ContextAI

libexpat (CPE: cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*) is a widely embedded C XML stream parser used directly and via language bindings in Python, PHP, Perl, Ruby, and many others. The library dispatches user-supplied handler callbacks (element start/end, character data, entity references, etc.) during XML_Parse and XML_ParseBuffer calls. Prior to 2.8.2, the parser struct (XML_ParserStruct) lacked a handler call depth counter (m_handlerCallDepth), so the library could not detect when its own API functions were invoked re-entrantly from within an active handler. CWE-416 (Use After Free) is the root cause: if XML_ParserFree or XML_ParserReset is called from within a handler, the parser object is freed or reset while still referenced by the active call stack, leaving dangling pointers. Similarly, calling XML_Parse or XML_ParseBuffer re-entrantly can corrupt internal parser state. The fix in PR #1246 adds beforeHandler/afterHandler bookkeeping functions that increment/decrement m_handlerCallDepth, and guards each prohibited function with an isCalledFromInsideHandler() check that returns XML_STATUS_ERROR on violation.

RemediationAI

The primary remediation is to upgrade libexpat to version 2.8.2, which introduces handler call depth tracking and blocks the prohibited re-entrant API calls with a hard error (XML_STATUS_ERROR). The fix is upstream in PR #1246 (https://github.com/libexpat/libexpat/pull/1246); however, the formal release date for 2.8.2 was listed as TBD (placeholder date) at time of PR submission - monitor the libexpat releases page for a tagged artifact before deploying. For Python consumers, track https://github.com/python/cpython/issues/146169 for a coordinated CPython fix and upgrade to the patched Python release once available. As a compensating control where upgrading is not immediately possible, application developers should audit all XML event handler callbacks to ensure none of the following functions are called from within a handler context: XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, XML_ParserReset. Removing or deferring such calls eliminates the re-entrant trigger condition; this is a code change rather than a configuration change and requires application-level review. Restricting untrusted XML input at the network boundary reduces attack surface but does not eliminate the vulnerability if internal handler logic is already non-compliant.

Vendor StatusVendor

Debian

expat
Release Status Fixed Version Urgency
bullseye vulnerable 2.2.10-2+deb11u5 -
bullseye (security) vulnerable 2.2.10-2+deb11u7 -
bookworm vulnerable 2.5.0-1+deb12u2 -
bookworm (security) vulnerable 2.5.0-1+deb12u1 -
trixie vulnerable 2.7.1-2 -
forky, sid vulnerable 2.8.1-1 -
(unstable) fixed (unfixed) -

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.4 Affected
SUSE Linux Enterprise Micro 5.5 Affected

Share

CVE-2026-50219 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy