CVE-2026-57074
Deferred Deferred - Pending Action

Out-of-Bounds Read in XML::Bare Perl Module

Vulnerability report for CVE-2026-57074, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: CPANSec

Description

XML::Bare versions through 0.53 for Perl have an unbounded character lookahead. The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer. Truncated strings such as "<a/" can trigger an out-of-bounds read.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nanoscopic xml_bare to 0.53 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-57074 is a heap-based buffer overflow in the Perl module XML::Bare's C parser. It occurs when parsing untrusted XML input and is caused by the parser advancing a position pointer without checking buffer bounds. This leads to reading beyond allocated memory, particularly with truncated or malformed XML like `<a/` or `<![CDATA`.

Detection Guidance

To detect this vulnerability, inspect systems using XML::Bare versions through 0.53 for Perl. Check Perl module versions with commands like 'cpan -D XML::Bare' or 'perl -MXML::Bare -e "print $XML::Bare::VERSION"'. Monitor for crashes or memory corruption when parsing XML input, as these may indicate exploitation attempts.

Impact Analysis

If you use XML::Bare to parse untrusted XML input, this vulnerability could allow an attacker to execute arbitrary code or crash your application by causing a buffer overflow. This is especially risky if the module processes user-provided or external XML data.

Compliance Impact

This vulnerability does not directly affect compliance with GDPR, HIPAA, or similar standards. It is a technical flaw in XML parsing that could lead to crashes or undefined behavior when processing malformed XML input. Compliance impacts would only occur if this flaw caused data corruption or unauthorized access during processing of regulated data.

Mitigation Strategies

Immediately update XML::Bare to the patched version. Apply the official patch from https://security.metacpan.org/patches/X/XML-Bare/0.53/CVE-2026-57074-r1.patch. If updating is not possible, avoid parsing untrusted XML input with XML::Bare until the fix is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57074. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart