CVE-2006-10002
Received Received - Intake
Heap Overflow in XML::Parser Perl Module Causes Crashes

Publication date: 2026-03-19

Last updated on: 2026-03-23

Assigner: CPANSec

Description
XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes. A :utf8 PerlIO layer, parse_stream() in Expat.xs could overflow the XML input buffer because Perl's read() returns decoded characters while SvPV() gives back multi-byte UTF-8 bytes that can exceed the pre-allocated buffer size. This can cause heap corruption (double free or corruption) and crashes.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2006-10002
EUVD
EUVD-2006-7232
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
toddr xml to 2.48 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-176 The product does not properly handle when an input contains Unicode encoding.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2006-10002 is a buffer overflow vulnerability in the XML::Parser Perl module, specifically in the parse_stream() function of the Expat.xs file. The issue occurs when parsing UTF-8 encoded input streams with a :utf8 PerlIO layer. Perl's read() function returns decoded characters, but SvPV() returns the UTF-8 byte representation, which can be larger than the pre-allocated buffer size. This mismatch causes the XML input buffer to overflow, leading to heap corruption such as double free or corruption errors, and ultimately crashes the Perl interpreter."}, {'type': 'paragraph', 'content': 'The root cause is that the code assumes the number of bytes copied will never exceed the number of characters read, which is invalid for UTF-8 streams due to variable byte-length characters. The vulnerability manifests when the input stream is not set to raw byte mode, which is what the underlying libexpat library expects.'}, {'type': 'paragraph', 'content': 'A fix was implemented that dynamically reallocates the buffer size when the byte count exceeds the initially allocated buffer, preventing overflow and heap corruption. Additionally, it is recommended to set input streams to raw byte mode to avoid this issue.'}] [1, 3]

Impact Analysis

This vulnerability can cause heap corruption in the Perl interpreter when processing XML data with the XML::Parser module. Specifically, it can lead to double free or memory corruption errors that cause the application or interpreter to crash unexpectedly.

Such crashes can result in denial of service conditions for applications relying on XML::Parser for XML processing. Additionally, heap corruption could potentially be exploited to execute arbitrary code, although no explicit exploit details are provided.

Users processing UTF-8 encoded XML streams without setting the input stream to raw byte mode are particularly at risk.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability manifests as heap corruption errors such as double free or corruption messages and crashes when parsing UTF-8 encoded XML streams using the XML::Parser Perl module.'}, {'type': 'paragraph', 'content': 'To detect the vulnerability, you can check if your Perl scripts using XML::Parser are reading UTF-8 input streams without setting the input stream to raw byte mode.'}, {'type': 'paragraph', 'content': 'A suggested command to test for the vulnerability is to run a Perl script that parses a UTF-8 encoded XML file with the :utf8 PerlIO layer enabled but without setting binmode to raw bytes. For example:'}, {'type': 'list_item', 'content': 'perl -MXML::Parser -e \'binmode(STDIN, ":utf8"); my $p = XML::Parser->new(); $p->parse(*STDIN);\' < utf8_encoded_file.xml'}, {'type': 'paragraph', 'content': 'If the parser crashes with heap corruption or double free errors, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Alternatively, check if your Perl input streams are set to raw mode using commands like:'}, {'type': 'list_item', 'content': 'perl -e \'binmode(STDIN, ":bytes");\''}, {'type': 'paragraph', 'content': 'If input streams are not set to raw byte mode, the vulnerability may be present.'}] [3, 1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation involves ensuring that input streams to XML::Parser are set to raw byte mode to prevent buffer overflow caused by UTF-8 decoding mismatches.'}, {'type': 'list_item', 'content': "Set the input stream to raw mode in Perl scripts using binmode, for example: binmode(STDIN, ':bytes')."}, {'type': 'list_item', 'content': 'Apply the patch that fixes the buffer overflow in the parse_stream function of XML::Parser, which dynamically reallocates the buffer size based on the actual byte count read.'}, {'type': 'paragraph', 'content': 'This patch prevents heap corruption and crashes by correctly handling multi-byte UTF-8 characters without overflowing the buffer.'}, {'type': 'paragraph', 'content': 'If patching is not immediately possible, avoid parsing UTF-8 streams with the :utf8 PerlIO layer enabled or ensure input is properly encoded and handled as raw bytes.'}] [3, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2006-10002. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart