CVE-2006-10002
March 19, 2026
XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes.
A :utf8 PerlIO layer, parse_stream() in Expat.xs could overflow the XML input buffer because Perl's read() returns decoded characters while SvPV() gives back multi-byte UTF-8 bytes that can exceed the pre-allocated buffer size. This can cause heap corruption (double free or corruption) and crashes.
Affected Packages
https://github.com/cpan-authors/XML-Parser.git (GITHUB):
Affected version(s) =v2.40_01 <2.48_01Fix Suggestion:
Update to version 2.48_01https://github.com/cpan-authors/XML-Parser.git (GITHUB):
Affected version(s) =v2.40_01 <2.49Fix Suggestion:
Update to version 2.49https://github.com/cpan-authors/XML-Parser.git (GITHUB):
Affected version(s) =v2.40_01 <2.46Fix Suggestion:
Update to version 2.46https://github.com/cpan-authors/XML-Parser.git (GITHUB):
Affected version(s) =v2.40_01 <2.47Fix Suggestion:
Update to version 2.47https://github.com/cpan-authors/XML-Parser.git (GITHUB):
Affected version(s) =v2.40_01 <2.45Fix Suggestion:
Update to version 2.45https://github.com/cpan-authors/XML-Parser.git (GITHUB):
Affected version(s) =v2.40_01 <2.51Fix Suggestion:
Update to version 2.51Related ResourcesĀ (7)
Do you need more information?
Contact UsCVSS v4
Base Score:
9.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
EPSS
Base Score:
0.03
