Skip to main content

Mxml CVE-2026-5037

| EUVDEUVD-2026-16983 LOW
Stack-based Buffer Overflow (CWE-121)
2026-03-29 VulDB
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
1.7 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
4.8 (MEDIUM) 1.9 (LOW)
PoC Detected
Mar 30, 2026 - 13:26 vuln.today
Public exploit code
EUVD ID Assigned
Mar 29, 2026 - 09:00 euvd
EUVD-2026-16983
Analysis Generated
Mar 29, 2026 - 09:00 vuln.today
Patch released
Mar 29, 2026 - 09:00 nvd
Patch available
CVE Published
Mar 29, 2026 - 08:45 nvd
MEDIUM 4.8

DescriptionCVE.org

A vulnerability was determined in mxml up to 4.0.4. This issue affects the function index_sort of the file mxml-index.c of the component mxmlIndexNew. Executing a manipulation of the argument tempr can lead to stack-based buffer overflow. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called 6e27354466092a1ac65601e01ce6708710bb9fa5. A patch should be applied to remediate this issue.

AnalysisAI

Stack-based buffer overflow in mxml up to version 4.0.4 allows local authenticated attackers to cause a denial of service by manipulating the tempr argument in the index_sort function within mxmlIndexNew. The vulnerability has a low CVSS score of 3.3 due to local-only attack vector and denial-of-service impact, but publicly available exploit code exists and a vendor patch has been released.

Technical ContextAI

The vulnerability resides in the mxml-index.c file, specifically in the index_sort function called by mxmlIndexNew, which is responsible for creating and sorting XML element indices. The root cause is a classic stack-based buffer overflow (CWE-121: Stack-based Buffer Overflow) where insufficient bounds checking on the tempr parameter allows an attacker to write beyond allocated stack memory. This is a C library vulnerability in a widely-used XML manipulation utility, and the attack requires local file system access to provide a maliciously crafted XML input that triggers the overflow during index creation.

RemediationAI

Upgrade mxml to a version containing the vendor-released patch commit 6e27354466092a1ac65601e01ce6708710bb9fa5 or later. Users should check the official mxml GitHub repository at https://github.com/michaelrsweet/mxml for the latest stable release and apply it immediately. If upgrading is not immediately feasible, restrict local user access and authentication privileges on systems running vulnerable versions of mxml, and avoid processing untrusted XML input files with mxmlIndexNew functionality. Refer to the vendor advisory and GitHub issue at https://github.com/michaelrsweet/mxml/issues/350 for additional technical details and validation.

Vendor StatusVendor

Debian

mxml
Release Status Fixed Version Urgency
bullseye vulnerable 3.2-1 -
forky, bookworm, trixie vulnerable 3.3.1-1 -
sid vulnerable 4.0.4-3 -
(unstable) fixed (unfixed) -

SUSE

Severity: Low

Share

CVE-2026-5037 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy