Skip to main content

libexpat CVE-2026-56132

| EUVDEUVD-2026-37977 MEDIUM
Incorrect Synchronization (CWE-821)
2026-06-19 mitre GHSA-425r-vwq2-26qv
6.9
CVSS 3.1 · NVD
Share

Severity by source

Vendor (mitre) PRIMARY
MEDIUM
qualitative
NVD
6.9 MEDIUM
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
vuln.today AI
6.9 MEDIUM

Local vector retained because standard external entity resolution targets local files; AC:H reflects required non-default configuration plus precise nesting depth; PR:N since no attacker system privilege is needed.

3.1 AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
4.0 AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
6.9 MEDIUM
qualitative

Primary rating from Vendor (mitre).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Patch available
Jun 19, 2026 - 07:16 EUVD
Source Code Evidence Fetched
Jun 19, 2026 - 04:47 vuln.today
Analysis Generated
Jun 19, 2026 - 04:47 vuln.today

DescriptionNVD

In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers.

AnalysisAI

Heap-based buffer overflow in libexpat before 2.8.2 allows heap memory corruption in applications that process externally-supplied XML with external entity parameter parsing enabled. The flaw resides in the doProlog function of xmlparse.c, where the scaffold backing array (scaffIndex) - used to index DTD content model tree nodes - is reallocated using the child parser's m_groupSize counter, which diverges from the actual allocated capacity of the shared scaffIndex inherited from the parent parser. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Craft XML with 64+ nested DTD content model declarations
Delivery
Embed external parameter entity reference in DOCTYPE
Exploit
Submit to application with XML_PARAM_ENTITY_PARSING enabled
Install
libexpat creates child parser sharing parent DTD scaffIndex
C2
Child parser's m_groupSize triggers misaligned scaffIndex realloc
Execute
Heap buffer overflow corrupts adjacent allocations
Impact
Achieve code execution in application context

Vulnerability AssessmentAI

Exploitation Exploitation requires two concurrent conditions, both of which must be present: (1) The application must have external entity parameter parsing explicitly enabled via XML_SetParamEntityParsing with either XML_PARAM_ENTITY_PARSING_ALWAYS or XML_PARAM_ENTITY_PARSING_UNLESS_STANDALONE - this is NOT enabled by default in libexpat, meaning the application developer must have affirmatively opted into this behavior; (2) The attacker-controlled XML input must contain a DTD with deeply nested element content model declarations (the upstream test case uses 64+ levels of recursive grouping) sufficient to trigger multiple scaffold array reallocations, combined with a parameter entity reference that causes libexpat to create an external entity sub-parser that inherits the parent DTD's scaffIndex. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.9 Medium vector AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L warrants careful interpretation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a crafted XML document containing a DOCTYPE with 64 or more levels of deeply nested element content model declarations followed by a parameter entity reference pointing to an external resource. When a vulnerable application with XML_PARAM_ENTITY_PARSING_ALWAYS configured processes this document, libexpat creates a child parser for the external entity that inherits the parent DTD's scaffIndex by reference. …
Remediation Upgrade libexpat to version 2.8.2 or later as stated in the CVE description. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-25315 CRITICAL POC
9.8 Feb 18

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. Rated critical severity (CVSS 9.8),

CVE-2017-9233 HIGH POC
7.5 Jul 25

XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the p

CVE-2026-45186 HIGH POC
7.5 May 10

Denial of service in libexpat before 2.8.1 lets remote attackers exhaust CPU by submitting moderately sized crafted XML

CVE-2022-43680 HIGH POC
7.5 Oct 24

In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEnti

CVE-2019-15903 HIGH POC
7.5 Sep 04

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too

CVE-2013-0340 MEDIUM POC
6.8 Jan 21

expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetE

CVE-2016-0718 CRITICAL
9.8 May 26

Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a m

CVE-2024-45492 CRITICAL
9.8 Aug 30

An issue was discovered in libexpat before 2.6.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp

CVE-2024-45491 CRITICAL
9.8 Aug 30

An issue was discovered in libexpat before 2.6.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp

CVE-2016-4472 HIGH
8.1 Jun 30

The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attacke

CVE-2022-40674 HIGH
8.1 Sep 14

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. Rated high severity (CVSS 8.1), this

CVE-2016-5300 HIGH
7.5 Jun 16

The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attacker

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.4 Affected
SUSE Linux Enterprise Micro 5.5 Affected

Share

CVE-2026-56132 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy