> On 10 May 2026, at 22:55, Stig Palmquist <[email protected]> wrote: > > ======================================================================== > CVE-2026-8177 CPAN Security Group > ======================================================================== > > CVE ID: CVE-2026-8177 > Distribution: XML-LibXML > Versions: through 2.0210 > > MetaCPAN: https://metacpan.org/dist/XML-LibXML > VCS Repo: https://github.com/cpan-authors/XML-LibXML > > > XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap > memory when parsing XML node names containing truncated UTF-8 byte > sequences > > Description > ----------- > XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap > memory when parsing XML node names containing truncated UTF-8 byte > sequences. > > A node name ending in the middle of a multi byte UTF-8 sequence causes > the parser to read past the end of the input string into adjacent heap > memory. > > Any Perl process that passes attacker controlled strings to > XML::LibXML's DOM node-name methods can reach this path on the default > API. The likely consequence is a crash, causing denial of service. > > Problem types > ------------- > - CWE-125 Out-of-bounds Read > > Solutions > --------- > Upgrade to a future XML::LibXML release, or apply the upstream patch. > > > References > ---------- > https://github.com/cpan-authors/XML-LibXML/issues/146 > https://github.com/cpan-authors/XML-LibXML/commit/15652bd905a6c9dda59a81b14d4766adbbae2ea8.patch > > Timeline > -------- > - 2026-05-08: Upstream fix merged.
Correction: The timeline for 2026-05-08 stated "Upstream fix merged". This was incorrect. On that date a patch was submitted upstream via PR #149, but it has not yet been merged. https://github.com/cpan-authors/XML-LibXML/pull/149
