CVE-2026-50219: libexpat Use-After-Free via Handler Re-Entrancy
libexpat, a widely-used XML parsing library, contains a use-after-free vulnerability in versions before 2.8.2. The flaw occurs when certain XML parsing functions (XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset) are called from within event handlers without proper depth tracking. This can lead to memory safety violations and potentially allow attackers to crash applications or, in some scenarios, execute arbitrary code. The vulnerability requires local access and specific conditions to trigger, making it a moderate-risk issue rather than a widespread internet-facing threat.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.9 MEDIUM · CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-416
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-50219 stems from insufficient call depth tracking in libexpat's handler mechanism. The library fails to properly validate when XML parsing API functions are invoked recursively or re-entrantly from within user-defined handlers. When handlers violate the expected execution model by calling parsing functions like XML_ParseBuffer or XML_ParserReset, the library does not maintain correct state management, leading to a use-after-free condition (CWE-416). This allows memory that has been freed to be accessed again, corrupting heap structures or enabling code execution. The vulnerability manifests only under specific re-entrancy patterns and is not exploitable through normal, well-formed XML parsing flows.
Business impact
Organizations using libexpat in local or embedded contexts face elevated risk. Applications that parse untrusted XML files with user-defined callbacks, or that allow dynamic handler registration, become potential attack vectors. A successful exploit could cause denial of service (application crash), data corruption, or privilege escalation if libexpat runs with elevated rights. However, because exploitation requires local access and specific handler behavior, the blast radius is narrower than a remote code execution vulnerability. Developers should prioritize patching in desktop applications, embedded systems, and backend services that accept untrusted XML input.
Affected systems
libexpat before version 2.8.2 is vulnerable. All platforms and architectures where libexpat is compiled are affected, including Linux, Windows, macOS, and embedded systems. Any application or library that depends on libexpat and exercises handler re-entrancy—such as certain XML parsers, configuration readers, and document processors—inherits this risk. Verify your application's dependency chain to confirm libexpat usage and version.
Exploitability
Exploitation requires local access and the ability to either supply malicious XML or trigger specific handler callbacks that invoke libexpat API functions during parsing. The attack surface is limited to scenarios where an application allows untrusted XML processing with custom handlers. Remote exploitation over a network is unlikely unless the application explicitly exposes XML parsing to network input with handler re-entrancy enabled. The CVSS score of 4.9 (MEDIUM) reflects the local-access requirement and the need for specific application-level conditions, even though the underlying flaw is a use-after-free.
Remediation
Upgrade libexpat to version 2.8.2 or later. For applications packaged with embedded libexpat, ensure the library dependency is updated in your build process. After patching, validate that your application correctly recompiles and links against the new version. Test XML parsing workflows to confirm no regressions. For organizations unable to patch immediately, restrict XML input to trusted sources and avoid complex handler logic that re-invokes parsing functions.
Patch guidance
Consult the official libexpat project release notes and advisory for version 2.8.2 to confirm availability for your platform. Package managers (apt, yum, brew, etc.) typically distribute updated versions shortly after release. For proprietary or vendor-bundled versions of libexpat, contact your vendor for patched releases. Verify the patched version using your package manager's verification tools and test in a pre-production environment before deployment.
Detection guidance
Monitor application logs for segmentation faults, heap corruption warnings, or abnormal termination tied to XML parsing. Use dynamic analysis tools (AddressSanitizer, Valgrind) during testing to detect use-after-free events. On production systems, correlate crashes or hangs in libexpat-using processes with suspicious XML input or handler callback chains. Ensure your XML processing endpoints are restricted to trusted sources and that custom handlers are reviewed for re-entrant API calls. Static analysis tools that detect handler re-entrancy patterns can flag risky code before deployment.
Why prioritize this
While the CVSS score is moderate (4.9), prioritization depends on your application's exposure model. If libexpat is used in local or embedded contexts with low exposure to untrusted input, patch urgently but systematically. If libexpat is linked into internet-facing services that accept XML, prioritize higher—treat this as a high-priority patch cycle even though the attack surface is narrower than a remote vulnerability. The use-after-free nature means exploitation, while difficult, can lead to code execution, justifying swift remediation where exposure exists.
Risk score, explained
The CVSS 3.1 score of 4.9 (MEDIUM) reflects: AV:L (local attack vector only), AC:H (high complexity—specific handler re-entrancy required), PR:N (no privileges needed), UI:N (no user interaction), S:U (impact isolated to the vulnerable component), and C:L/I:L/A:L (confidentiality, integrity, and availability all slightly affected). The score appropriately downgrades a use-after-free from critical to moderate because local access and specific conditions are required. In environments where libexpat processes untrusted XML from network sources, actual risk may warrant internal elevation above the base score.
Frequently asked questions
Is this vulnerability remotely exploitable over the network?
No. CVE-2026-50219 requires local access and specific application-level conditions involving handler re-entrancy. Remote exploitation is only possible if an application explicitly processes untrusted XML over the network and implements handlers that re-invoke libexpat API functions—an uncommon pattern. Most web-based XML parsers do not trigger this code path.
Do I need to patch if I only parse trusted, internal XML files?
Even with trusted internal XML, you should patch as a matter of practice. However, risk is lower if your application never uses custom handlers that call libexpat functions during parsing. Review your code to confirm this pattern is absent before deferring the patch.
What is a 'handler' in libexpat, and why does this matter?
Handlers are user-defined callback functions invoked by libexpat during XML parsing (e.g., on encountering an element or character data). The vulnerability occurs only if a handler calls back into libexpat's own functions (like XML_Parse or XML_ParserReset). This re-entrancy violates the library's call-depth tracking, causing the use-after-free. Most applications do not implement this pattern; handlers typically only record data or dispatch events.
What versions of libexpat are affected?
All versions before 2.8.2 are vulnerable. Verify your system's libexpat version using your package manager (e.g., `apt show libexpat1` on Debian/Ubuntu or `rpm -qa libexpat` on RHEL/CentOS). Upgrade to 2.8.2 or later.
This analysis is based on published vulnerability data current as of the advisory date. Exploit availability, real-world attack prevalence, and vendor patch timelines may evolve. Organizations should verify patch availability for their specific libexpat deployment (vendor-bundled, package manager, or embedded) before relying on version numbers alone. SEC.co does not provide exploit code or weaponization assistance. Test patches in non-production environments before production deployment. For mission-critical systems, engage your vendor or a security consultant for guidance tailored to your architecture. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-60486MEDIUMHeap Use-After-Free in GPAC MP4Box MPEG-2 Dasher – DoS Vulnerability
- CVE-2026-10232MEDIUMAssimp Use-After-Free in ASE Parser (CVSS 5.3)
- CVE-2026-10703MEDIUMUse-After-Free in EIPStackGroup OpENer Remote Code Execution Risk
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10005HIGHChrome macOS Use-After-Free RCE Vulnerability (7.5 CVSS)