Integer Overflow Vulnerability in libexpat Affects Output Filename Handling
CVE-2026-56409

6.5MEDIUM

Key Information:

Vendor: Libexpat Project
Status: Libexpat
Vendor: CVE Published:; 21 June 2026

🔔 Create Libexpat Project Vulnerability Alert

What is CVE-2026-56409?

The libexpat library, prior to version 2.8.2, contains an integer overflow vulnerability that occurs when the xmlwf tool is used with the -d outputDir option. This flaw allows an attacker to exploit the integer overflow, resulting in incorrect file handling for the output filename. Proper validation and sanitization of input parameters are crucial to mitigating potential risks associated with this issue.

Affected Version(s)

libexpat 0 < 2.8.2

References

https://github.com/libexpat/libexpat/pull/1259

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 21, 2026
Vulnerability Reserved
Jun 21, 2026

CVE-2026-56409 Data

JSON