Use-after-Free Vulnerability in libexpat Affects XML Parser Handler Calls
CVE-2026-56131

4.9MEDIUM

Key Information:

Vendor: Libexpat Project
Status: Libexpat
Vendor: CVE Published:; 19 June 2026

🔔 Create Libexpat Project Vulnerability Alert

What is CVE-2026-56131?

The libexpat library, utilized for XML parsing, has a vulnerability that enables a use-after-free condition due to a lack of handler call depth tracking in specific circumstances. When a policy violation occurs, calls to XML_ResumeParser within user-defined handlers may compromise memory integrity, leading to potential arbitrary code execution. This issue mirrors the scenario described in a related vulnerability and emphasizes the importance of updating to libexpat version 2.8.2 or higher for security enhancements.

Affected Version(s)

libexpat 0 < 2.8.2

References

https://github.com/libexpat/libexpat/pull/1267

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
Jun 19, 2026

CVE-2026-56131 Data

JSON