CVE-2026-5037
Received Received - Intake
Stack-Based Buffer Overflow in mxmlIndexNew (mxml

Publication date: 2026-03-29

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in mxml up to 4.0.4. This issue affects the function index_sort of the file mxml-index.c of the component mxmlIndexNew. Executing a manipulation of the argument tempr can lead to stack-based buffer overflow. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called 6e27354466092a1ac65601e01ce6708710bb9fa5. A patch should be applied to remediate this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-29
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5037
EUVD
EUVD-2026-16983
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
michaelrsweet mxml to 4.0.5 (exc)
michaelrsweet mxml 4.0.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5037 is a vulnerability in the mxml library up to version 4.0.4, specifically in the function index_sort within the mxml-index.c file used by mxmlIndexNew. The issue arises from improper boundary checks during a sorting operation, which can cause a stack-based buffer overflow when manipulating the argument tempr.

This vulnerability occurs when a specially crafted malformed XML structure is processed, leading to an out-of-bounds read or write during the sorting of nodes. The root cause is a failure to properly check the lower bounds in the quicksort partitioning logic, allowing the index to decrement past the start of the allocated array.

The vulnerability is exploitable only through local execution and has been publicly disclosed. A patch was released in version 4.0.5 that adds an additional check to prevent invalid or out-of-bounds access during the recursive sorting.

Impact Analysis

This vulnerability can lead to a stack-based buffer overflow or heap-buffer-overflow during the processing of malformed XML data, which may cause application crashes or potentially allow an attacker to read invalid memory.

Since the exploit requires local execution, an attacker would need local access to the system to trigger the vulnerability.

The impact is limited to denial of service or information disclosure, as the CVSS scores indicate low severity with no direct impact on confidentiality or integrity, but some impact on availability.

Detection Guidance

This vulnerability can be detected by attempting to reproduce the issue locally using a specially crafted malformed XML payload that triggers the unsafe sorting operation in the mxml library's mxmlIndexNew function.

A minimal detection approach involves the following steps:

  • Load a malformed XML string using the mxmlLoadString function with opaque type options.
  • Invoke the mxmlIndexNew function on the parsed XML tree.
  • Observe if a crash or memory access error occurs during the sorting step inside mxmlIndexNew, which indicates the presence of the vulnerability.

Tools like AddressSanitizer (ASAN) or fuzzers such as SynFuzz can be used to detect the heap-buffer-overflow by monitoring for out-of-bounds reads or crashes.

Mitigation Strategies

The immediate mitigation step is to apply the patch provided for this vulnerability, which is included in version 4.0.5 of the mxml library.

This patch fixes the issue by adding a boundary check in the index_sort function within mxml-index.c to prevent invalid or out-of-bounds access during the sorting operation.

Since the attack requires local execution, restricting untrusted local access and avoiding processing untrusted or malformed XML inputs with vulnerable versions of the library can reduce risk until the patch is applied.

Compliance Impact

The vulnerability in mxml up to version 4.0.4 involves a stack-based buffer overflow that can be exploited locally to cause crashes or potentially disclose information by reading invalid memory. However, the provided information does not specify any direct impact on compliance with common standards and regulations such as GDPR or HIPAA.

Since the exploit is limited to local execution and the CVE description and resources do not mention any data breach, unauthorized data access, or privacy violations, there is no explicit indication that this vulnerability directly affects compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5037. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart