CVE-2026-8177
XML::LibXML Heap Out-of-Bounds Read via Truncated UTF-8
Publication date: 2026-05-10
Last updated on: 2026-05-11
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cpan | xml_libxml | to 2.0210 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in XML::LibXML versions through 2.0210 for Perl. It occurs when the parser reads XML node names that contain truncated UTF-8 byte sequences. Specifically, if a node name ends in the middle of a multi-byte UTF-8 character, the parser reads beyond the end of the input string into adjacent heap memory, causing an out-of-bounds read.
How can this vulnerability impact me? :
The primary impact of this vulnerability is that it can cause the Perl process using XML::LibXML to crash. This crash results in a denial of service condition, as the process is terminated unexpectedly when parsing maliciously crafted XML node names.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when XML::LibXML parses node names containing truncated UTF-8 byte sequences, leading to out-of-bounds heap reads and potential crashes.
Detection involves identifying Perl processes using XML::LibXML versions through 2.0210 that handle attacker-controlled XML node names with malformed UTF-8 sequences.
While no specific detection commands are provided, you can check the installed XML::LibXML version with Perl commands such as:
- perl -MXML::LibXML -e 'print $XML::LibXML::VERSION, "\n"'
To detect exploitation attempts or crashes, monitor logs for Perl process crashes or denial of service symptoms when processing XML input.
Additionally, you can audit XML inputs for node names containing truncated or malformed UTF-8 sequences, for example by using scripts or tools that validate UTF-8 correctness in XML node names.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade XML::LibXML to a version that includes the fix for CVE-2026-8177.
The fix involves validating UTF-8 continuation bytes before parsing them, preventing out-of-bounds reads and crashes.
If upgrading immediately is not possible, consider sanitizing or validating all XML node names and attribute names to ensure they do not contain truncated or malformed UTF-8 sequences before passing them to XML::LibXML.
Also, monitor and restrict inputs from untrusted sources that could exploit this vulnerability by providing crafted XML node names.
Review and apply any patches or updates provided by the XML::LibXML maintainers, such as the patch described in Resource 3.