CVE-2026-25210
6.9 MEDIUMIn libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow...
Published: 2026-01-30 · Last updated: 2026-06-02
Severity and scoring
- CVSS
- 6.9 MEDIUM
- Vector
- CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
- CWE
- CWE-190
Affected products
| Vendor | Product |
|---|---|
| libexpat_project | libexpat |
Description
In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-50219 — libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_Pa... (4.9 MEDIUM)
- CVE-2026-24515 — In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data (2.9 LOW)
- CVE-2025-66382 — In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time (2.9 LOW)
Same CWE
- CVE-2025-66280 — An integer overflow or wraparound vulnerability has been reported to affect several QNAP operating system versions
- CVE-2026-34711 — CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Integer Overflow or Wraparound vulnerability (7.5 HIGH)
- CVE-2026-47925 — Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could... (5.5 MEDIUM)
- CVE-2023-29146 — The utility functions used by Malwarebytes EDR 1.0.11 on Linux for calculating a cryptographic hash of data bytes truncate the hashed dat... (8.2 HIGH)
- CVE-2026-47291 — Integer overflow or wraparound in Windows HTTP.sys allows an unauthorized attacker to execute code over a network (9.8 CRITICAL)