XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack. In the case (stackptr == stacksize - 1), the stack will NOT be expanded. Then the new value will be written at location (++stackptr), which equals stacksize and therefore falls just outside the allocated buffer. The bug can be observed when parsing an XML file with very deep element nesting
The bug occurs in the serialization stack structure (st_serial_stack). When the stack pointer (stackptr) reaches a value equal to (stacksize - 1), the mechanism does not expand the buffer, then increments the pointer and writes a new value at address (stackptr == stacksize), which exceeds by one element the allocated heap memory area. This condition is reached when parsing an XML document with exceptionally deeply nested elements, which an attacker can trigger by providing an appropriately crafted XML file.
An attacker can overwrite adjacent heap memory areas, which in practice can lead to arbitrary code execution (RCE), data disclosure, or process destabilization (application crash).
The XML::Parser library should be updated to a version containing the fix indicated in the vendor references (commit 3eb9cc95420fa0c3f76947c4708962546bf27cfd in the cpan-authors/XML-Parser repository). Debian distribution users should install the update package announced by Debian LTS in accordance with the debian-lts-announce notice from April 2026.
XML::Parser for Perl in versions up to and including 2.47 (Toddr XML::Parser).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HToddr Xml\
APPToddr\
Related vulnerabilities
XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruptio...
Heap buffer overflow i inne podatności w YAML::Syck dla Perl (do wersji 1.36)
YAML::Syck versions before 1.36 for Perl has missing null-terminators which causes out-of-bounds read and pote...