Vulnerability in libexpat Affects XML Handling in Software by Various Vendors
CVE-2026-56412

4.9MEDIUM

Key Information:

Vendor: Libexpat Project
Status: Libexpat
Vendor: CVE Published:; 21 June 2026

🔔 Create Libexpat Project Vulnerability Alert

What is CVE-2026-56412?

The libexpat library prior to version 2.8.2 is vulnerable due to inadequate handling of XML tokens, specifically in the doCdataSection function. This vulnerability arises from a lack of proper depth tracking for handler calls, which can result in a use-after-free condition when certain XML policies are violated. The issue persists due to an incomplete mitigation of a previously identified vulnerability, indicating the importance of updating to the latest version to maintain robust security in applications utilizing this library.

Affected Version(s)

libexpat 0 < 2.8.2

References

https://github.com/libexpat/libexpat/pull/1278

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 21, 2026
Vulnerability Reserved
Jun 21, 2026

CVE-2026-56412 Data

JSON