CVE-2026-13401
Deferred Deferred - Pending Action

XML::Bare Perl Parser Infinite Loop in Malformed Attributes

Vulnerability report for CVE-2026-13401, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: CPANSec

Description

XML::Bare versions through 0.53 for Perl will hang in an infinite loop when parsing malformed attributes. The parserc_parse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "<a ='c'>" or unbalanced quotes "<a b='''''''c'>" can trigger this condition.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-13401 is an infinite loop vulnerability in the XML::Bare Perl module's C parser. It occurs when parsing malformed XML attributes, such as nameless attributes or unbalanced quotes. The parser gets stuck in a loop because it fails to advance its position after encountering certain malformed inputs, causing it to consume CPU indefinitely.

Detection Guidance

To detect this vulnerability, monitor for processes consuming excessive CPU time, particularly those running XML::Bare or Perl scripts parsing XML input. Check for malformed XML inputs triggering infinite loops, such as attributes with nameless values or unbalanced quotes like <a ='c'> or <a b='''''''c'>.

Impact Analysis

This vulnerability can cause a denial of service by consuming excessive CPU resources. If exploited, it may lead to system slowdowns or crashes. Since the parser holds the Perl interpreter, it cannot be interrupted by Perl-level signals like alarms, making it difficult to mitigate once triggered.

Compliance Impact

This vulnerability could indirectly impact compliance with standards like GDPR or HIPAA by enabling denial-of-service (DoS) attacks. An infinite loop in XML parsing may cause system unavailability, potentially violating availability requirements in these regulations. However, the CVE itself does not directly reference compliance standards.

Mitigation Strategies

Immediately update XML::Bare to a patched version (0.53 or later) that fixes the infinite loop in parserc_parse. If updating is not possible, restrict XML input processing to trusted sources only and implement timeouts for XML parsing operations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13401. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart