CVE Catalog

CVE-2026-56131

MediumCVSS 4.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.10%

1th percentile — higher than 1% of all known CVEs

Summary

libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers in cases of a policy violation. This can lead to a use-after-free situation.

Risk Assessment

Organizations may be exposed to attacks exploiting this vulnerability, potentially leading to unauthorized memory access and application crashes.

Recommendation

It is recommended to update the libexpat library to version 2.8.2 or later to mitigate this vulnerability.

Original NVD description (English source)

libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers in cases of a policy violation. Thus, a use-after-free can occur (similar to the CVE-2026-50219 situation).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS