VDB

CISA-2006-10002

CISA-2006-10002 PUBLISHED CVSS 9.8 CRITICAL

Reported by CPANSec · Published March 19, 2026

XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes. A :utf8 PerlIO layer, parse_stream() in Expat.xs could overflow the XML input buffer because Perl's read() returns decoded characters while SvPV() gives back multi-byte UTF-8 bytes that can exceed the pre-allocated buffer size. This can cause heap corruption (double free or corruption) and crashes.

Risk Scores

CVSS 3.1
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
TODDRXML::Parser0
TODDRXML::Parser0, 0, 0

Timeline

  • Mar 19, 2026 CVE Published
  • Mar 22, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›