CVE-2026-8177 PUBLISHED

XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences

Assigner: CPANSec
Reserved: 08.05.2026 Published: 10.05.2026 Updated: 11.05.2026

XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences.

A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory.

Any Perl process that passes attacker controlled strings to XML::LibXML's DOM node-name methods can reach this path on the default API. The likely consequence is a crash, causing denial of service.

Product Status

Vendor	SHLOMIF
Product	XML::LibXML
Versions	Default: unaffected affected from 0 to 2.0210 (incl.)

Solutions

Upgrade to a future XML::LibXML release, or apply the upstream patch.

References

https://github.com/cpan-authors/XML-LibXML/issues/146
https://github.com/cpan-authors/XML-LibXML/pull/149
https://github.com/cpan-authors/XML-LibXML/commit/15652bd905a6c9dda59a81b14d4766adbbae2ea8.patch

Problem Types

CWE-125 Out-of-bounds Read CWE