CVE-2026-56410
Received Received - Intake
Integer Overflow in Expat XML Parsing Library

Publication date: 2026-06-21

Last updated on: 2026-06-21

Assigner: MITRE

Description
xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-21
Last Modified
2026-06-21
Generated
2026-06-21
AI Q&A
2026-06-21
EPSS Evaluated
N/A
NVD
CVE-2026-56410
EUVD
EUVD-2026-38187
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libexpat libexpat to 2.8.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-56410 vulnerability is an integer overflow in the resolveSystemId function within the xmlwf tool of the libexpat library. It happens when calculating the memory needed to construct an absolute path using the lengths of base and systemId strings. If systemId comes from an external entity's SYSTEM identifier, the multiplication for memory allocation can wrap around on wide-character builds, causing the allocated buffer to be too small. This leads to heap buffer overflow during subsequent string copy operations.

The issue was fixed by adding a guard to prevent the allocation size from exceeding a safe maximum, and by falling back to using systemId directly if the allocation fails.

Impact Analysis

This vulnerability can lead to a heap buffer overflow, which may cause a program crash or potentially allow an attacker to execute arbitrary code or cause denial of service. Since the vulnerability involves processing external entity SYSTEM identifiers, it could be exploited by specially crafted XML input to compromise the security or stability of applications using vulnerable versions of libexpat.

Detection Guidance

This vulnerability involves an integer overflow in the resolveSystemId function within the xmlwf tool of the libexpat library. Detection would require identifying if your system is running a vulnerable version of libexpat (before 2.8.2) and if the xmlwf tool is used to process XML entities that could trigger this overflow.

Since the issue is triggered by specially crafted SYSTEM identifiers in external XML entities, network detection could involve monitoring XML traffic for suspicious SYSTEM identifiers that might cause unusually large or malformed memory allocations.

No specific detection commands are provided in the available resources. However, you can check the installed libexpat version with commands like:

  • dpkg -l | grep libexpat (on Debian/Ubuntu systems)
  • rpm -qa | grep libexpat (on RedHat/CentOS systems)

Additionally, you can test the xmlwf tool by processing XML files with crafted external SYSTEM identifiers to see if it crashes or behaves unexpectedly, but no specific test commands are provided.

Mitigation Strategies

The immediate mitigation step is to upgrade libexpat to version 2.8.2 or later, where the integer overflow in resolveSystemId has been fixed.

If upgrading is not immediately possible, avoid processing untrusted XML files that contain external SYSTEM identifiers with the xmlwf tool or any application using the vulnerable libexpat version.

Monitoring and restricting XML input sources to trusted entities can also reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56410. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart