CVE-2026-50219
Analyzed Analyzed - Analysis Complete
Use-After-Free in Expat XML Parser Library

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: MITRE

Description
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-24
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-50219
EUVD
EUVD-2026-34206
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libexpat_project libexpat to 2.8.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in libexpat versions before 2.8.2, where there is no tracking of handler call depth when certain functions like XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset are called from within handlers during policy violations.

Because of this lack of tracking, a use-after-free condition can occur, which means the program might try to use memory that has already been freed, potentially leading to crashes or undefined behavior.

The issue arises from reentrancy problems where these functions are called recursively or indirectly within handler callbacks without proper safeguards.

Impact Analysis

This vulnerability can lead to use-after-free errors, which may cause application crashes or unpredictable behavior.

Such memory corruption issues can potentially be exploited by attackers to execute arbitrary code or cause denial of service, depending on the context in which libexpat is used.

Because the CVSS base score is 4.9 with low attack vector and high attack complexity, exploitation requires local access and is not trivial.

Mitigation Strategies

To mitigate this vulnerability in libexpat before version 2.8.2, ensure that your system is updated to a version that includes the fix which introduces handler call depth tracking. This fix prevents calls to functions like XML_GetBuffer, XML_ParserFree, and XML_ParserReset from within handler callbacks, avoiding use-after-free issues.

Specifically, update libexpat to version 2.8.2 or later where the vulnerability is addressed by implementing a counter-based approach to track handler depth and prevent unsafe reentrant calls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50219. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart