CVE-2026-8177

NameCVE-2026-8177
DescriptionXML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory. Any Perl process that passes attacker controlled strings to XML::LibXML's DOM node-name methods can reach this path on the default API. The likely consequence is a crash, causing denial of service.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1136300

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libxml-libxml-perl (PTS)bullseye2.0134+dfsg-2vulnerable
bookworm2.0207+dfsg+really+2.0134-1vulnerable
trixie2.0207+dfsg+really+2.0134-5vulnerable
forky, sid2.0207+dfsg+really+2.0134-7vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libxml-libxml-perlsource(unstable)(unfixed)1136300

Notes

https://lists.security.metacpan.org/cve-announce/msg/39920366/
https://github.com/cpan-authors/XML-LibXML/issues/146
https://github.com/cpan-authors/XML-LibXML/pull/149
Search for package or bug name: Reporting problems