CVE-2026-56131
Received Received - Intake
XML External Entity Injection in libexpat

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: MITRE

Description
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers in cases of a policy violation. Thus, a use-after-free can occur (similar to the CVE-2026-50219 situation).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-56131
EUVD
EUVD-2026-37976
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libexpat libexpat to 2.8.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the libexpat library before version 2.8.2 and involves the XML_ResumeParser function. It occurs because the function lacks protection against re-entrant calls from within handler callbacks, specifically when a handler suspends parsing using XML_StopParser and then tries to resume it. This can lead to a use-after-free memory corruption issue, similar to a previously known vulnerability (CVE-2026-50219). The problem arises because the parser can be re-entered while an outer parse is still active, causing unsafe memory operations.

Impact Analysis

The vulnerability can lead to memory corruption through a use-after-free condition. This can cause application crashes, unexpected behavior, or potentially allow an attacker to execute arbitrary code or cause denial of service if they can trigger the re-entrant parsing scenario. The impact is rated as moderate with a CVSS base score of 4.9, indicating that it requires local access with high attack complexity and no user interaction.

Detection Guidance

This vulnerability involves a use-after-free condition triggered by re-entrant calls to the XML_ResumeParser function within handler callbacks in libexpat before version 2.8.2.

Detection involves identifying if your system is running a vulnerable version of libexpat (prior to 2.8.2) and if applications using libexpat invoke XML_StopParser followed by XML_ResumeParser within handler callbacks, which can cause memory corruption.

There are no specific network detection commands or signatures provided in the resources.

To detect the vulnerable library version on your system, you can check the installed libexpat version using commands like:

  • On Linux: `dpkg -l | grep libexpat` or `rpm -qa | grep expat`
  • Check the version directly in code or binaries if possible.

For applications using libexpat, review source code or logs to identify if XML_StopParser and XML_ResumeParser are called in a way that could trigger the vulnerability.

Mitigation Strategies

The primary mitigation is to upgrade libexpat to version 2.8.2 or later, where the fix for this vulnerability has been applied.

If upgrading immediately is not possible, avoid using XML_StopParser followed by XML_ResumeParser calls from within handler callbacks to prevent re-entrant parser calls that lead to memory corruption.

Review and test applications that use libexpat to ensure they do not perform such re-entrant parsing operations.

Monitor for updates and patches from your operating system or software vendors that include the fixed libexpat version.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56131. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart