Skip to main content

libexpat EUVDEUVD-2026-38180

| CVE-2026-56403 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-06-21 mitre GHSA-xqw9-f65g-5qxw
6.9
CVSS 3.1 · NVD
Share

Severity by source

Vendor (mitre) PRIMARY
MEDIUM
qualitative
NVD
6.9 MEDIUM
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
vuln.today AI
7.7 HIGH

AV:N reflects libexpat's primary deployment parsing network-sourced XML; AC:H because the overflow requires namespace tokens approaching INT_MAX length, an inherently difficult constraint.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
6.9 MEDIUM
qualitative

Primary rating from Vendor (mitre).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 22, 2026 - 06:38 vuln.today
Analysis Generated
Jun 22, 2026 - 06:38 vuln.today
Patch available
Jun 21, 2026 - 17:01 EUVD

DescriptionNVD

libexpat before 2.8.2 has an integer overflow in storeAtts.

AnalysisAI

Integer overflow in libexpat's storeAtts() function before version 2.8.2 allows heap buffer corruption during XML namespace attribute processing. When an XML document contains namespace-qualified attributes whose prefix name or local-part name approaches or exceeds INT_MAX bytes, the combined expanded-name length calculation wraps to a small integer, causing allocation of an undersized heap buffer followed by an out-of-bounds write during the memcpy phase. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Craft XML with oversized namespace prefix
Delivery
Deliver document to libexpat-based parser
Exploit
storeAtts accumulates prefix length past INT_MAX
Install
Integer overflow yields small totalLen
C2
Undersized heap buffer allocated
Execute
memcpy corrupts adjacent heap memory
Impact
Arbitrary code execution or process crash

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application uses libexpat before 2.8.2 to parse attacker-controlled XML that includes namespace-qualified attributes - specifically, the vulnerable storeAtts() code path is only reached when the parsed XML uses XML namespace bindings (xmlns: prefix declarations); plain XML documents without namespace usage do not enter the affected code. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS vector AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L (score 6.9) assigns a Local attack vector, which is conservative relative to libexpat's actual deployment footprint: the library routinely parses XML originating from HTTP bodies, SOAP messages, SAML assertions, RSS feeds, and other network-delivered content, making an independent AV:N assessment more representative of real-world exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a crafted XML document containing a namespace declaration whose prefix name is constructed to be close to or exceeding INT_MAX bytes in length to a service that passes the document through libexpat before 2.8.2. The storeAtts() function increments prefixLen until integer overflow yields a small wrapped value, causing heap allocation of an undersized buffer; the subsequent memcpy writes the full-length string past the buffer boundary, corrupting adjacent heap metadata and potentially enabling controlled code execution within the parsing process.
Remediation The primary fix is to upgrade libexpat to version 2.8.2 or later, which adds size_t-typed intermediate variables and explicit INT_MAX/SIZE_MAX overflow guards in storeAtts() (see https://github.com/libexpat/libexpat/pull/1232). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-25315 CRITICAL POC
9.8 Feb 18

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. Rated critical severity (CVSS 9.8),

CVE-2017-9233 HIGH POC
7.5 Jul 25

XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the p

CVE-2026-45186 HIGH POC
7.5 May 10

Denial of service in libexpat before 2.8.1 lets remote attackers exhaust CPU by submitting moderately sized crafted XML

CVE-2022-43680 HIGH POC
7.5 Oct 24

In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEnti

CVE-2019-15903 HIGH POC
7.5 Sep 04

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too

CVE-2013-0340 MEDIUM POC
6.8 Jan 21

expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetE

CVE-2016-0718 CRITICAL
9.8 May 26

Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a m

CVE-2024-45492 CRITICAL
9.8 Aug 30

An issue was discovered in libexpat before 2.6.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp

CVE-2024-45491 CRITICAL
9.8 Aug 30

An issue was discovered in libexpat before 2.6.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp

CVE-2016-4472 HIGH
8.1 Jun 30

The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attacke

CVE-2022-40674 HIGH
8.1 Sep 14

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. Rated high severity (CVSS 8.1), this

CVE-2016-5300 HIGH
7.5 Jun 16

The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attacker

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Not-Affected
SLES15-SP5-CHOST-BYOS-SAP-CCloud Affected
SLES15-SP6-CHOST-BYOS Affected
SLES15-SP6-CHOST-BYOS-Aliyun Affected
SLES15-SP6-CHOST-BYOS-Azure Affected

Share

EUVD-2026-38180 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy