CVE-2026-8177
Received Received - Intake
XML::LibXML Heap Out-of-Bounds Read via Truncated UTF-8

Publication date: 2026-05-10

Last updated on: 2026-05-11

Assigner: CPANSec

Description
XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory. Any Perl process that passes attacker controlled strings to XML::LibXML's DOM node-name methods can reach this path on the default API. The likely consequence is a crash, causing denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-10
Last Modified
2026-05-11
Generated
2026-06-20
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-8177
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cpan xml_libxml to 2.0210 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability occurs when XML::LibXML parses node names containing truncated UTF-8 byte sequences, leading to out-of-bounds heap reads and potential crashes.

Detection involves identifying Perl processes using XML::LibXML versions through 2.0210 that handle attacker-controlled XML node names with malformed UTF-8 sequences.

While no specific detection commands are provided, you can check the installed XML::LibXML version with Perl commands such as:

  • perl -MXML::LibXML -e 'print $XML::LibXML::VERSION, "\n"'

To detect exploitation attempts or crashes, monitor logs for Perl process crashes or denial of service symptoms when processing XML input.

Additionally, you can audit XML inputs for node names containing truncated or malformed UTF-8 sequences, for example by using scripts or tools that validate UTF-8 correctness in XML node names.

Mitigation Strategies

The primary mitigation step is to upgrade XML::LibXML to a version that includes the fix for CVE-2026-8177.

The fix involves validating UTF-8 continuation bytes before parsing them, preventing out-of-bounds reads and crashes.

If upgrading immediately is not possible, consider sanitizing or validating all XML node names and attribute names to ensure they do not contain truncated or malformed UTF-8 sequences before passing them to XML::LibXML.

Also, monitor and restrict inputs from untrusted sources that could exploit this vulnerability by providing crafted XML node names.

Review and apply any patches or updates provided by the XML::LibXML maintainers, such as the patch described in Resource 3.

Executive Summary

This vulnerability exists in XML::LibXML versions through 2.0210 for Perl. It occurs when the parser reads XML node names that contain truncated UTF-8 byte sequences. Specifically, if a node name ends in the middle of a multi-byte UTF-8 character, the parser reads beyond the end of the input string into adjacent heap memory, causing an out-of-bounds read.

Impact Analysis

The primary impact of this vulnerability is that it can cause the Perl process using XML::LibXML to crash. This crash results in a denial of service condition, as the process is terminated unexpectedly when parsing maliciously crafted XML node names.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8177. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart