CVE-2026-8177
Received Received - Intake
XML::LibXML Heap Out-of-Bounds Read via Truncated UTF-8

Publication date: 2026-05-10

Last updated on: 2026-05-10

Assigner: CPANSec

Description
XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory. Any Perl process that passes attacker controlled strings to XML::LibXML's DOM node-name methods can reach this path on the default API. The likely consequence is a crash, causing denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-10
Last Modified
2026-05-10
Generated
2026-05-11
AI Q&A
2026-05-11
EPSS Evaluated
N/A
NVD
CVE-2026-8177
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in XML::LibXML versions through 2.0210 for Perl. It occurs when the parser reads XML node names that contain truncated UTF-8 byte sequences. Specifically, if a node name ends in the middle of a multi-byte UTF-8 character, the parser reads beyond the end of the input string into adjacent heap memory, causing an out-of-bounds read.


How can this vulnerability impact me? :

The primary impact of this vulnerability is that it can cause the Perl process using XML::LibXML to crash. This crash results in a denial of service condition, as the process is terminated unexpectedly when parsing maliciously crafted XML node names.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart