{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-25210", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-01-30T06:40:27.642Z", "datePublished": "2026-01-30T06:40:27.917Z", "dateUpdated": "2026-04-30T03:55:58.137Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "libexpat", "vendor": "libexpat project", "versions": [{"lessThan": "2.7.4", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-30T07:21:13.096Z"}, "references": [{"url": "https://github.com/libexpat/libexpat/pull/1075"}, {"url": "https://github.com/libexpat/libexpat/pull/1075/commits/9c2d990389e6abe2e44527eeaa8b39f16fe859c7"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.7.4"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-29T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-25210"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-30T03:55:58.137Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25210", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-03T15:53:34.212023Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T15:53:38.257Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.9, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "libexpat project", "product": "libexpat", "versions": [{"status": "affected", "version": "0", "lessThan": "2.7.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/libexpat/libexpat/pull/1075"}, {"url": "https://github.com/libexpat/libexpat/pull/1075/commits/9c2d990389e6abe2e44527eeaa8b39f16fe859c7"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.7.4"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-30T07:21:13.096Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25210", "state": "PUBLISHED", "dateUpdated": "2026-04-30T03:55:58.137Z", "dateReserved": "2026-01-30T06:40:27.642Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-01-30T06:40:27.917Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*", "matchCriteriaId": "8506CE35-F4E2-420E-99FB-FC24254BF7DE", "versionEndExcluding": "2.7.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation."}, {"lang": "es", "value": "En libexpat antes de 2.7.4, la funci\u00f3n doContent no determina correctamente el tama\u00f1o del b\u00fafer bufSize porque no hay una comprobaci\u00f3n de desbordamiento de entero para la reasignaci\u00f3n del b\u00fafer de etiquetas."}], "id": "CVE-2026-25210", "lastModified": "2026-03-10T18:17:12.780", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 5.5, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-30T07:16:15.570", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/libexpat/libexpat/pull/1075"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/libexpat/libexpat/pull/1075/commits/9c2d990389e6abe2e44527eeaa8b39f16fe859c7"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "libexpat: libexpat: Information disclosure and data integrity issues due to integer overflow in buffer reallocation", "id": "2435454", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2435454"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.9", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "status": "draft"}, "cwe": "CWE-190", "details": ["A flaw was found in libexpat. A local attacker could exploit an integer overflow vulnerability in the doContent function. This flaw occurs because the buffer size is not properly determined during tag buffer reallocation, which can lead to memory corruption. Successful exploitation may result in information disclosure and data integrity issues."], "name": "CVE-2026-25210", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "expat", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "compat-expat1", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "expat", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "expat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "expat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "mingw-expat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "expat", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-30T06:40:27Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25210\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25210\nhttps://github.com/libexpat/libexpat/pull/1075\nhttps://github.com/libexpat/libexpat/pull/1075/commits/9c2d990389e6abe2e44527eeaa8b39f16fe859c7"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T14:30:20.604439+00:00", "value": {"mitigation_remediation": ["Upgrade libexpat to version 2.7.4 or later to eliminate the integer overflow and enforce proper bounds checking.", "If an upgrade is not immediately possible, enforce strict size limits on XML input or implement custom validation to ensure that tags do not exceed a safe threshold before passing data to libexpat.", "Deploy runtime bounds checking or sanitizers, such as AddressSanitizer or Valgrind, during development and testing to detect potential overflows and prevent exploitation in production."], "summary": {"action": "Patch", "impact": "Information Disclosure and Data Integrity"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the libexpat project\u2019s libexpat library on any version prior to 2.7.4. Applications that embed or link against these older releases may be impacted.", "description_and_impact": "A flaw in libexpat\u2019s doContent function allows an integer overflow during tag buffer reallocation, which can expose internal memory contents or corrupt data. The weakness stems from the lack of a bounds check when determining the buffer size, and it is classified as a CWE-190 overflow.", "risk_and_exploitability": "The CVSS base score of 6.9 indicates medium severity. An EPSS score of less than 1% suggests a very low probability of exploitation at the time of analysis, and the vulnerability is not listed in CISA\u2019s KEV catalog. Based on the description, it is inferred that an attacker could craft malicious XML input that triggers the overflow during buffer reallocation when processed by libexpat, potentially leading to information disclosure or data corruption. The attack could originate either locally or remotely, depending on where the XML is accepted."}}}}, "created": "2026-04-18T14:45:03.107628+00:00", "updated": "2026-04-18T14:45:03.107650+00:00", "vendors": []}