{"id":"CVE-2026-8177","summary":"XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences","details":"XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences.\n\nA node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory.\n\nAny Perl process that passes attacker controlled strings to XML::LibXML's DOM node-name methods can reach this path on the default API. The likely consequence is a crash, causing denial of service.","modified":"2026-07-17T03:41:47.849012707Z","published":"2026-05-10T20:48:51.816Z","related":["ALSA-2026:39553","ALSA-2026:39878","SUSE-SU-2026:22081-1","SUSE-SU-2026:2324-1","SUSE-SU-2026:2402-1","openSUSE-SU-2026:10854-1","openSUSE-SU-2026:20908-1"],"database_specific":{"cna_assigner":"CPANSec","cwe_ids":["CWE-125"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8177.json"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/05/10/8"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/05/11/2"},{"type":"WEB","url":"https://cpan.org/modules"},{"type":"WEB","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-8177.json"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:39547"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:39553"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:39878"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2026-8177"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8177.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8177"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2468684"},{"type":"REPORT","url":"https://github.com/cpan-authors/XML-LibXML/issues/146"},{"type":"REPORT","url":"https://github.com/cpan-authors/XML-LibXML/pull/149"},{"type":"FIX","url":"https://github.com/cpan-authors/XML-LibXML/commit/15652bd905a6c9dda59a81b14d4766adbbae2ea8.patch"},{"type":"PACKAGE","url":"https://github.com/cpan-authors/XML-LibXML"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cpan-authors/xml-libxml","events":[{"introduced":"0"},{"fixed":"e400c9d2d4a063d1ab827d3b0fe5447cd77b3a2f"},{"fixed":"15652bd905a6c9dda59a81b14d4766adbbae2ea8"}],"database_specific":{"source":["DESCRIPTION","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"2.0210"}]}}],"versions":["XML-LibXML-2.0209","XML-LibXML-2.0208","XML-LibXML-2.0207","XML-LibXML-2.0206","XML-LibXML-2.0205","XML-LibXML-2.0204","XML-LibXML-2.0203","XML-LibXML-2.0202","XML-LibXML-2.0201","XML-LibXML-2.0200","XML-LibXML-2.0134","XML-LibXML-2.0133","XML-LibXML-2.0132","XML-LibXML-2.0131","XML-LibXML-2.0129","XML-LibXML-2.0128","XML-LibXML-2.0127","XML-LibXML-2.0126","XML-LibXML-2.0125","XML-LibXML-2.0124","XML-LibXML-2.0123","XML-LibXML-2.0122","XML-LibXML-2.0121","XML-LibXML-2.0120","XML-LibXML-2.0119","XML-LibXML-2.0118","XML-LibXML-2.0117"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8177.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}