Bug 2442938 (CVE-2026-27942) - CVE-2026-27942 fast-xml-parser: fast-xml-parser: Stack overflow leads to Denial of Service
Summary: CVE-2026-27942 fast-xml-parser: fast-xml-parser: Stack overflow leads to Deni...
Keywords:
Status: NEW
Alias: CVE-2026-27942
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2442968 2442969
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-02-26 03:02 UTC by OSIDB Bzimport
Modified: 2026-02-26 09:58 UTC (History)
43 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-02-26 03:02:17 UTC 
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOrder:true`. Version 5.3.8 fixes the issue. As a workaround, use XML builder with `preserveOrder:false` or check the input data before passing to builder.
Note You need to log in before you can comment on or make changes to this bug.