CVE Catalog

CVE-2006-10003

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.55%

42th percentile - higher than 42% of all known CVEs

Summary

In the XML::Parser library for Perl versions up to 2.47, there is an off-by-one heap buffer overflow in the st_serial_stack function. The bug occurs when the stack is not expanded upon reaching the maximum size, leading to a write outside the allocated buffer.

Risk Assessment

An attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service by providing a specially crafted XML file with very deep element nesting.

Recommendation

Update the XML::Parser library to version 2.48 or later, which includes a fix for the buffer overflow vulnerability.

Original NVD description (English source)

XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack. In the case (stackptr == stacksize - 1), the stack will NOT be expanded. Then the new value will be written at location (++stackptr), which equals stacksize and therefore falls just outside the allocated buffer. The bug can be observed when parsing an XML file with very deep element nesting

Vulnerability data from NVD (NIST) · CISA KEV · EPSS