CVE-2006-10002
Heap Overflow in XML::Parser Perl Module Causes Crashes
Publication date: 2026-03-19
Last updated on: 2026-03-23
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| toddr | xml | to 2.48 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-176 | The product does not properly handle when an input contains Unicode encoding. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2006-10002 is a buffer overflow vulnerability in the XML::Parser Perl module, specifically in the parse_stream() function of the Expat.xs file. The issue occurs when parsing UTF-8 encoded input streams with a :utf8 PerlIO layer. Perl's read() function returns decoded characters, but SvPV() returns the UTF-8 byte representation, which can be larger than the pre-allocated buffer size. This mismatch causes the XML input buffer to overflow, leading to heap corruption such as double free or corruption errors, and ultimately crashes the Perl interpreter."}, {'type': 'paragraph', 'content': 'The root cause is that the code assumes the number of bytes copied will never exceed the number of characters read, which is invalid for UTF-8 streams due to variable byte-length characters. The vulnerability manifests when the input stream is not set to raw byte mode, which is what the underlying libexpat library expects.'}, {'type': 'paragraph', 'content': 'A fix was implemented that dynamically reallocates the buffer size when the byte count exceeds the initially allocated buffer, preventing overflow and heap corruption. Additionally, it is recommended to set input streams to raw byte mode to avoid this issue.'}] [1, 3]
How can this vulnerability impact me? :
This vulnerability can cause heap corruption in the Perl interpreter when processing XML data with the XML::Parser module. Specifically, it can lead to double free or memory corruption errors that cause the application or interpreter to crash unexpectedly.
Such crashes can result in denial of service conditions for applications relying on XML::Parser for XML processing. Additionally, heap corruption could potentially be exploited to execute arbitrary code, although no explicit exploit details are provided.
Users processing UTF-8 encoded XML streams without setting the input stream to raw byte mode are particularly at risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability manifests as heap corruption errors such as double free or corruption messages and crashes when parsing UTF-8 encoded XML streams using the XML::Parser Perl module.'}, {'type': 'paragraph', 'content': 'To detect the vulnerability, you can check if your Perl scripts using XML::Parser are reading UTF-8 input streams without setting the input stream to raw byte mode.'}, {'type': 'paragraph', 'content': 'A suggested command to test for the vulnerability is to run a Perl script that parses a UTF-8 encoded XML file with the :utf8 PerlIO layer enabled but without setting binmode to raw bytes. For example:'}, {'type': 'list_item', 'content': 'perl -MXML::Parser -e \'binmode(STDIN, ":utf8"); my $p = XML::Parser->new(); $p->parse(*STDIN);\' < utf8_encoded_file.xml'}, {'type': 'paragraph', 'content': 'If the parser crashes with heap corruption or double free errors, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Alternatively, check if your Perl input streams are set to raw mode using commands like:'}, {'type': 'list_item', 'content': 'perl -e \'binmode(STDIN, ":bytes");\''}, {'type': 'paragraph', 'content': 'If input streams are not set to raw byte mode, the vulnerability may be present.'}] [3, 1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation involves ensuring that input streams to XML::Parser are set to raw byte mode to prevent buffer overflow caused by UTF-8 decoding mismatches.'}, {'type': 'list_item', 'content': "Set the input stream to raw mode in Perl scripts using binmode, for example: binmode(STDIN, ':bytes')."}, {'type': 'list_item', 'content': 'Apply the patch that fixes the buffer overflow in the parse_stream function of XML::Parser, which dynamically reallocates the buffer size based on the actual byte count read.'}, {'type': 'paragraph', 'content': 'This patch prevents heap corruption and crashes by correctly handling multi-byte UTF-8 characters without overflowing the buffer.'}, {'type': 'paragraph', 'content': 'If patching is not immediately possible, avoid parsing UTF-8 streams with the :utf8 PerlIO layer enabled or ensure input is properly encoded and handled as raw bytes.'}] [3, 1]