CVE-2006-10003

9.8 CRITICAL

Published: March 19, 2026 Modified: March 19, 2026

Description

XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack. In the case (stackptr == stacksize - 1), the stack will NOT be expanded. Then the new value will be written at location (++stackptr), which equals stacksize and therefore falls just outside the allocated buffer. The bug can be observed when parsing an XML file with very deep element nesting

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/cpan-authors/XML-Parser/commit/3eb9cc95420fa0c3f76947c4708962546bf27cfd.patch

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

Patch

https://github.com/cpan-authors/XML-Parser/issues/39

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

Issue Tracking

https://rt.cpan.org/Ticket/Display.html?id=19860

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

Mailing List

http://www.openwall.com/lists/oss-security/2026/03/19/2

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Patch Third Party Advisory

4 reference(s) from NVD

Quick Stats

CVSS v3 Score

9.8 / 10.0

EPSS (Exploit Probability)

0.0%

5th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-122 CWE-193

Affected Vendors

toddr

Related CVEs

CVE-2026-4472 6.3

CVE-2026-4471 4.7

CVE-2026-4470 4.7

CVE-2026-4469 4.7

CVE-2026-33035 N/A