CVE-2026-50219
Use-After-Free in Expat XML Parser Library
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libexpat | libexpat | to 2.8.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability exists in libexpat versions before 2.8.2, where there is no tracking of handler call depth when certain functions like XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset are called from within handlers during policy violations.
Because of this lack of tracking, a use-after-free condition can occur, which means the program might try to use memory that has already been freed, potentially leading to crashes or undefined behavior.
The issue arises from reentrancy problems where these functions are called recursively or indirectly within handler callbacks without proper safeguards.
How can this vulnerability impact me? :
This vulnerability can lead to use-after-free errors, which may cause application crashes or unpredictable behavior.
Such memory corruption issues can potentially be exploited by attackers to execute arbitrary code or cause denial of service, depending on the context in which libexpat is used.
Because the CVSS base score is 4.9 with low attack vector and high attack complexity, exploitation requires local access and is not trivial.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability in libexpat before version 2.8.2, ensure that your system is updated to a version that includes the fix which introduces handler call depth tracking. This fix prevents calls to functions like XML_GetBuffer, XML_ParserFree, and XML_ParserReset from within handler callbacks, avoiding use-after-free issues.
Specifically, update libexpat to version 2.8.2 or later where the vulnerability is addressed by implementing a counter-based approach to track handler depth and prevent unsafe reentrant calls.