| Name | CVE-2026-8177 |
| Description | XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory. Any Perl process that passes attacker controlled strings to XML::LibXML's DOM node-name methods can reach this path on the default API. The likely consequence is a crash, causing denial of service. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1136300 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| libxml-libxml-perl (PTS) | bullseye | 2.0134+dfsg-2 | vulnerable |
| bookworm | 2.0207+dfsg+really+2.0134-1 | vulnerable | |
| trixie | 2.0207+dfsg+really+2.0134-5 | vulnerable | |
| forky, sid | 2.0207+dfsg+really+2.0134-8 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| libxml-libxml-perl | source | (unstable) | 2.0207+dfsg+really+2.0134-8 | 1136300 |
[trixie] - libxml-libxml-perl <no-dsa> (Minor issue; will be fixed via point release)
[bookworm] - libxml-libxml-perl <no-dsa> (Minor issue; will be fixed via point release)
[bullseye] - libxml-libxml-perl <postponed> (Minor issue; can be fixed in next update)
https://lists.security.metacpan.org/cve-announce/msg/39920366/
https://github.com/cpan-authors/XML-LibXML/issues/146
https://github.com/cpan-authors/XML-LibXML/pull/149
Fixed by: https://github.com/cpan-authors/XML-LibXML/commit/059abf5f9336e2213794b5b545c707394cca3ac7 (XML-LibXML-2.0210_11)