Heap Corruption in XML::Parser for Perl by Exit Data
CVE-2006-10002

9.8CRITICAL

Key Information:

Vendor

Toddr

Status
Xml::parser
Vendor
CVE Published:
19 March 2026

What is CVE-2006-10002?

The XML::Parser module for Perl, specifically versions up to 2.47, is susceptible to a vulnerability that allows for a heap corruption issue due to an overflow of the pre-allocated buffer size. This occurs in the parse_stream() function within Expat.xs, where the Perl read() function returns decoded characters that can exceed the limitations set by the SvPV() function. This discrepancy can result in double free or corruption scenarios, ultimately leading to application crashes. It is crucial for users to be aware of this vulnerability and apply any necessary patches to mitigate potential risks.

Affected Version(s)

XML::Parser 0 <= 2.45

References

https://rt.cpan.org/Ticket/Display.html?id=19859
issue-tracking
https://github.com/cpan-authors/XML-Parser/issues/64
issue-tracking
https://metacpan.org/release/TODDR/XML-Parser-2.46/changes
release-notes

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.