Bug#1136300: libxml-libxml-perl: CVE-2026-8177
Salvatore Bonaccorso
carnil at debian.org
Mon May 11 20:15:02 BST 2026
Source: libxml-libxml-perl
Version: 2.0207+dfsg+really+2.0134-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/cpan-authors/XML-LibXML/issues/146
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for libxml-libxml-perl.
CVE-2026-8177[0]:
| XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap
| memory when parsing XML node names containing truncated UTF-8 byte
| sequences. A node name ending in the middle of a multi byte UTF-8
| sequence causes the parser to read past the end of the input string
| into adjacent heap memory. Any Perl process that passes attacker
| controlled strings to XML::LibXML's DOM node-name methods can reach
| this path on the default API. The likely consequence is a crash,
| causing denial of service.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-8177
https://www.cve.org/CVERecord?id=CVE-2026-8177
[1] https://github.com/cpan-authors/XML-LibXML/issues/146
[2] https://lists.security.metacpan.org/cve-announce/msg/39920366/
[3] https://github.com/cpan-authors/XML-LibXML/pull/149
Regards,
Salvatore
More information about the pkg-perl-maintainers
mailing list