Skip to main content

libexpat EUVDEUVD-2026-37976

| CVE-2026-56131 MEDIUM
Use After Free (CWE-416)
2026-06-19 mitre GHSA-fchf-wvcc-qf9g
4.9
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
4.9 MEDIUM
AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
5.6 MEDIUM

AV:N because XML triggering the handler arrives over network; AC:H retained as the re-entrant handler pattern is a non-default application prerequisite.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Patch available
Jun 19, 2026 - 07:16 EUVD
Source Code Evidence Fetched
Jun 19, 2026 - 04:46 vuln.today
Analysis Generated
Jun 19, 2026 - 04:46 vuln.today

DescriptionCVE.org

libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers in cases of a policy violation. Thus, a use-after-free can occur (similar to the CVE-2026-50219 situation).

AnalysisAI

Use-after-free in libexpat before 2.8.2 allows memory corruption when XML_ResumeParser is called from within a handler callback during a policy-violation scenario. The missing call-depth guard permits re-entrant parser invocation, leaving dangling pointers in the parser's internal heap state and enabling potential information disclosure or memory corruption with low confidentiality, integrity, and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify application with vulnerable libexpat and re-entrant handler pattern
Delivery
Deliver crafted XML to trigger character data handler
Exploit
Handler calls XML_StopParser then XML_ResumeParser re-entrantly
Execution
Parser re-enters parse loop with stale handler stack frame
Persist
Use-after-free corrupts heap state
Impact
Memory disclosure or parser process crash

Vulnerability AssessmentAI

Exploitation Exploitation requires two simultaneous conditions: (1) the target application links against libexpat before version 2.8.2, and (2) the application implements a handler callback (such as XML_SetCharacterDataHandler) that calls XML_StopParser with resumable=XML_TRUE followed immediately by XML_ResumeParser on the same parser object before the handler returns. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 4.9 with vector AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L reflects a constrained risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker supplies crafted XML to an application that uses a vulnerable libexpat version and whose handler callback suspends and immediately resumes the parser from within the same handler invocation. When the character data (or similar) handler calls XML_StopParser followed by XML_ResumeParser on the active parser, libexpat re-enters the parse loop with a stale stack frame, producing a use-after-free condition that can leak heap memory contents or corrupt parser state. …
Remediation Upgrade libexpat to version 2.8.2 or later, which adds the isCalledFromInsideHandler guard to XML_ResumeParser (upstream fix: https://github.com/libexpat/libexpat/pull/1267). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-25315 CRITICAL POC
9.8 Feb 18

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. Rated critical severity (CVSS 9.8),

CVE-2017-9233 HIGH POC
7.5 Jul 25

XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the p

CVE-2026-45186 HIGH POC
7.5 May 10

Denial of service in libexpat before 2.8.1 lets remote attackers exhaust CPU by submitting moderately sized crafted XML

CVE-2022-43680 HIGH POC
7.5 Oct 24

In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEnti

CVE-2019-15903 HIGH POC
7.5 Sep 04

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too

CVE-2013-0340 MEDIUM POC
6.8 Jan 21

expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetE

CVE-2016-0718 CRITICAL
9.8 May 26

Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a m

CVE-2024-45492 CRITICAL
9.8 Aug 30

An issue was discovered in libexpat before 2.6.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp

CVE-2024-45491 CRITICAL
9.8 Aug 30

An issue was discovered in libexpat before 2.6.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp

CVE-2016-4472 HIGH
8.1 Jun 30

The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attacke

CVE-2022-40674 HIGH
8.1 Sep 14

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. Rated high severity (CVSS 8.1), this

CVE-2016-5300 HIGH
7.5 Jun 16

The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attacker

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.4 Affected
SUSE Linux Enterprise Micro 5.5 Affected

Share

EUVD-2026-37976 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy