Skip to main content

libexpat xmlwf EUVDEUVD-2026-38187

| CVE-2026-56410 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-06-21 mitre GHSA-638v-9w3r-gh6q
6.9
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.9 MEDIUM
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
vuln.today AI
6.9 MEDIUM

AV:L because xmlwf requires local execution; AC:H because triggering size_t overflow demands impractically large combined string lengths, especially on 64-bit; C:H/I:H for heap corruption enabling code execution; A:L for incidental crash potential.

3.1 AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
4.0 AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
6.9 MEDIUM
qualitative

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 22, 2026 - 06:42 vuln.today
Analysis Generated
Jun 22, 2026 - 06:42 vuln.today
Patch available
Jun 21, 2026 - 17:01 EUVD

DescriptionCVE.org

xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId.

AnalysisAI

Integer overflow in libexpat's xmlwf tool allows an attacker supplying a crafted XML file with an excessively long DOCTYPE system identifier to trigger a heap buffer overflow via the resolveSystemId function. All libexpat versions before 2.8.2 are affected; the root cause is an unchecked size_t arithmetic operation - both the addition of string lengths and the subsequent multiplication by sizeof(XML_Char) - before a malloc call. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft XML with oversized SYSTEM identifier
Delivery
Influence victim to run xmlwf with long base path
Exploit
resolveSystemId adds lengths without overflow check
Execution
malloc receives undersized argument
Persist
Write past heap boundary
Impact
Arbitrary code execution as xmlwf process user

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the target system must be running libexpat earlier than 2.8.2 specifically compiled for a 32-bit architecture (on 64-bit platforms, causing a size_t overflow via string lengths is practically infeasible without extraordinary path lengths exceeding petabytes); (2) the xmlwf command-line tool - not the libexpat core library - must be invoked by the victim or an automated process, meaning this code path is triggered only by xmlwf's resolveSystemId function, not by applications embedding libexpat for XML parsing; (3) the attacker must supply or influence both the XML file content (systemId in DOCTYPE SYSTEM declaration) and/or the base path argument to xmlwf such that their combined character lengths approach SIZE_MAX. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.9 with vector AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L signals a locally exploitable, high-complexity flaw with potentially severe memory-corruption impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with local access crafts an XML file containing a DOCTYPE declaration with an artificially long SYSTEM identifier - long enough that when combined with the base path, the combined length arithmetic overflows size_t. When a developer, CI pipeline, or build script runs xmlwf against this file (e.g., xmlwf -b /very/long/base/path malicious.xml), resolveSystemId performs the unchecked malloc with a wrapped-around (undersized) buffer, and the subsequent string copy writes beyond the heap allocation. …
Remediation Upgrade libexpat to version 2.8.2 or later, which incorporates the integer-overflow guards added in PR #1252. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-25315 CRITICAL POC
9.8 Feb 18

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. Rated critical severity (CVSS 9.8),

CVE-2017-9233 HIGH POC
7.5 Jul 25

XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the p

CVE-2026-45186 HIGH POC
7.5 May 10

Denial of service in libexpat before 2.8.1 lets remote attackers exhaust CPU by submitting moderately sized crafted XML

CVE-2022-43680 HIGH POC
7.5 Oct 24

In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEnti

CVE-2019-15903 HIGH POC
7.5 Sep 04

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too

CVE-2013-0340 MEDIUM POC
6.8 Jan 21

expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetE

CVE-2016-0718 CRITICAL
9.8 May 26

Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a m

CVE-2024-45492 CRITICAL
9.8 Aug 30

An issue was discovered in libexpat before 2.6.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp

CVE-2024-45491 CRITICAL
9.8 Aug 30

An issue was discovered in libexpat before 2.6.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp

CVE-2016-4472 HIGH
8.1 Jun 30

The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attacke

CVE-2022-40674 HIGH
8.1 Sep 14

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. Rated high severity (CVSS 8.1), this

CVE-2016-5300 HIGH
7.5 Jun 16

The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attacker

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Not-Affected
SLES15-SP5-CHOST-BYOS-SAP-CCloud Affected
SLES15-SP6-CHOST-BYOS Affected
SLES15-SP6-CHOST-BYOS-Aliyun Affected
SLES15-SP6-CHOST-BYOS-Azure Affected

Share

EUVD-2026-38187 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy