CVE-2026-5037
Stack-Based Buffer Overflow in mxmlIndexNew (mxml
Publication date: 2026-03-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| michaelrsweet | mxml | to 4.0.5 (exc) |
| michaelrsweet | mxml | 4.0.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5037 is a vulnerability in the mxml library up to version 4.0.4, specifically in the function index_sort within the mxml-index.c file used by mxmlIndexNew. The issue arises from improper boundary checks during a sorting operation, which can cause a stack-based buffer overflow when manipulating the argument tempr.
This vulnerability occurs when a specially crafted malformed XML structure is processed, leading to an out-of-bounds read or write during the sorting of nodes. The root cause is a failure to properly check the lower bounds in the quicksort partitioning logic, allowing the index to decrement past the start of the allocated array.
The vulnerability is exploitable only through local execution and has been publicly disclosed. A patch was released in version 4.0.5 that adds an additional check to prevent invalid or out-of-bounds access during the recursive sorting.
How can this vulnerability impact me? :
This vulnerability can lead to a stack-based buffer overflow or heap-buffer-overflow during the processing of malformed XML data, which may cause application crashes or potentially allow an attacker to read invalid memory.
Since the exploit requires local execution, an attacker would need local access to the system to trigger the vulnerability.
The impact is limited to denial of service or information disclosure, as the CVSS scores indicate low severity with no direct impact on confidentiality or integrity, but some impact on availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the issue locally using a specially crafted malformed XML payload that triggers the unsafe sorting operation in the mxml library's mxmlIndexNew function.
A minimal detection approach involves the following steps:
- Load a malformed XML string using the mxmlLoadString function with opaque type options.
- Invoke the mxmlIndexNew function on the parsed XML tree.
- Observe if a crash or memory access error occurs during the sorting step inside mxmlIndexNew, which indicates the presence of the vulnerability.
Tools like AddressSanitizer (ASAN) or fuzzers such as SynFuzz can be used to detect the heap-buffer-overflow by monitoring for out-of-bounds reads or crashes.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the patch provided for this vulnerability, which is included in version 4.0.5 of the mxml library.
This patch fixes the issue by adding a boundary check in the index_sort function within mxml-index.c to prevent invalid or out-of-bounds access during the sorting operation.
Since the attack requires local execution, restricting untrusted local access and avoiding processing untrusted or malformed XML inputs with vulnerable versions of the library can reduce risk until the patch is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in mxml up to version 4.0.4 involves a stack-based buffer overflow that can be exploited locally to cause crashes or potentially disclose information by reading invalid memory. However, the provided information does not specify any direct impact on compliance with common standards and regulations such as GDPR or HIPAA.
Since the exploit is limited to local execution and the CVE description and resources do not mention any data breach, unauthorized data access, or privacy violations, there is no explicit indication that this vulnerability directly affects compliance with these regulations.