CVE-2026-25210

In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.

medium 6.9 CVSS 3.1

Published: Jan 30, 2026

Modified: Jun 2, 2026

Product: Libexpat

Description

In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.

References

https://github.com/libexpat/libexpat/pull/1075
https://github.com/libexpat/libexpat/pull/1075/commits/9c2d990389e6abe2e44527eeaa8b39f16fe859c7
https://cert-portal.siemens.com/productcert/html/ssa-253495.html

Related CVEs

CVSS Breakdown

Version	3.1
Score	6.9 / 10
Severity	medium

Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

Weakness (CWE)

CWE-190

Affected Product

Vendor	Libexpat Project
Product	Libexpat