CVE-2026-8177
HIGHXML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences
Title source: cnaDescription
XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory. Any Perl process that passes attacker controlled strings to XML::LibXML's DOM node-name methods can reach this path on the default API. The likely consequence is a crash, causing denial of service.
References (5)
Core 5
Core References
Issue Tracking issue-tracking
https://github.com/cpan-authors/XML-LibXML/issues/146
Issue Tracking issue-tracking
https://github.com/cpan-authors/XML-LibXML/pull/149
Scores
CVSS v3
7.5
EPSS
0.0047
EPSS Percentile
37.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-125
Status
published
Products (1)
SHLOMIF/XML::LibXML
< 2.0210
Published
May 10, 2026
Tracked Since
May 11, 2026