Bug 2468684 (CVE-2026-8177) - CVE-2026-8177 perl-XML-LibXML: XML::LibXML: Denial of Service via truncated UTF-8 in XML node names
Summary: CVE-2026-8177 perl-XML-LibXML: XML::LibXML: Denial of Service via truncated U...
Keywords:
Status: NEW
Alias: CVE-2026-8177
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-10 22:01 UTC by OSIDB Bzimport
Modified: 2026-06-25 14:34 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-10 22:01:16 UTC
XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences.

A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory.

Any Perl process that passes attacker controlled strings to XML::LibXML's DOM node-name methods can reach this path on the default API. The likely consequence is a crash, causing denial of service.


Note You need to log in before you can comment on or make changes to this bug.