Skip to main content

libexpat CVE-2026-56412

| EUVDEUVD-2026-38189 MEDIUM
Use After Free (CWE-416)
2026-06-21 mitre GHSA-m2mm-5w64-p8p7
5.9
CVSS 3.1 · NVD
Share

Severity by source

Vendor (mitre) PRIMARY
MEDIUM
qualitative
NVD
5.9 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
5.6 MEDIUM

AV:N assigned because libexpat commonly parses XML delivered over the network via consuming applications; AC:H retained reflecting the specific policy-violation handler conditions required.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
SUSE
4.9 MEDIUM
AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Red Hat
4.9 MEDIUM
qualitative

Primary rating from Vendor (mitre).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
CVSS changed
Jun 23, 2026 - 15:53 NVD
4.9 (MEDIUM) 5.9 (MEDIUM)
Source Code Evidence Fetched
Jun 22, 2026 - 06:43 vuln.today
Analysis Generated
Jun 22, 2026 - 06:43 vuln.today
Patch available
Jun 21, 2026 - 18:01 EUVD

DescriptionNVD

libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219.

AnalysisAI

Use-after-free in libexpat before 2.8.2 arises from the doCdataSection function omitting beforeHandler/afterHandler depth-tracking calls for XML_TOK_DATA_CHARS tokens during CDATA section parsing - an incomplete fix for the related CVE-2026-50219. When a policy violation occurs during handler callback invocation in this code path, the parser's internal call-depth counter becomes inconsistent, enabling a use-after-free condition. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Supply crafted XML with malicious CDATA section
Delivery
Trigger XML_TOK_DATA_CHARS processing in doCdataSection
Exploit
Induce policy violation during handler callback
Install
Bypass missing beforeHandler/afterHandler depth tracking
C2
Corrupt handler call-depth counter
Execute
Trigger use-after-free in parser heap
Impact
Achieve limited memory corruption or disclosure

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) the target application must use libexpat at a version prior to 2.8.2; (2) the application must register XML event handlers that are invoked during CDATA section parsing - applications that parse XML without custom handler callbacks are not affected in the same way; (3) a policy violation must be triggered during handler invocation while processing a `XML_TOK_DATA_CHARS` token inside a CDATA section, which is a non-default and specific XML structural condition. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS score of 4.9 with vector AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L reflects a moderate-to-low real-world risk profile with several important caveats. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious XML document containing a CDATA section that triggers a policy violation during event handler callback invocation within `doCdataSection`, specifically on a `XML_TOK_DATA_CHARS` token. When a libexpat-consuming application - such as a web API, messaging middleware, or content management platform - parses this document, the missing depth-tracking calls leave the parser's internal call-depth counter inconsistent, triggering a use-after-free. …
Remediation Upgrade libexpat to version 2.8.2 or later, which introduces the missing `beforeHandler(parser)` and `afterHandler(parser)` depth-tracking calls in the `XML_TOK_DATA_CHARS` branch of `doCdataSection`. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-25315 CRITICAL POC
9.8 Feb 18

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. Rated critical severity (CVSS 9.8),

CVE-2017-9233 HIGH POC
7.5 Jul 25

XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the p

CVE-2026-45186 HIGH POC
7.5 May 10

Denial of service in libexpat before 2.8.1 lets remote attackers exhaust CPU by submitting moderately sized crafted XML

CVE-2022-43680 HIGH POC
7.5 Oct 24

In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEnti

CVE-2019-15903 HIGH POC
7.5 Sep 04

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too

CVE-2013-0340 MEDIUM POC
6.8 Jan 21

expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetE

CVE-2016-0718 CRITICAL
9.8 May 26

Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a m

CVE-2024-45492 CRITICAL
9.8 Aug 30

An issue was discovered in libexpat before 2.6.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp

CVE-2024-45491 CRITICAL
9.8 Aug 30

An issue was discovered in libexpat before 2.6.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp

CVE-2016-4472 HIGH
8.1 Jun 30

The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attacke

CVE-2022-40674 HIGH
8.1 Sep 14

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. Rated high severity (CVSS 8.1), this

CVE-2016-5300 HIGH
7.5 Jun 16

The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attacker

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Not-Affected
SLES15-SP5-CHOST-BYOS-SAP-CCloud Affected
SLES15-SP6-CHOST-BYOS Affected
SLES15-SP6-CHOST-BYOS-Aliyun Affected
SLES15-SP6-CHOST-BYOS-Azure Affected

Share

CVE-2026-56412 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy