VYPR
Get started
← All advisories
Critical severity9.8NVD Advisory· Published Mar 19, 2026· Updated Apr 4, 2026

CVE-2006-10003

CVE-2006-10003

Description

XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack.

In the case (stackptr == stacksize - 1), the stack will NOT be expanded. Then the new value will be written at location (++stackptr), which equals stacksize and therefore falls just outside the allocated buffer.

The bug can be observed when parsing an XML file with very deep element nesting

Affected products

1
  • Toddr/Xml\
    cpe:2.3:a:toddr:xml\:\:parser:*:*:*:*:*:perl:*:*
    Range: <2.48

Patches

1
3eb9cc95420f

Merge pull request #122 from toddr-bot/koan.toddr.bot/fix-issue-39

https://github.com/cpan-authors/XML-ParserTodd RinaldoMar 16, 2026via nvd-ref
commit
2 files changed · +23 1
  • Expat/Expat.xs+1 1 modified
    @@ -514,7 +514,7 @@ startElement(void *userData, const char *name, const char **atts)
     }
   }
 
-  if (cbv->st_serial_stackptr >= cbv->st_serial_stacksize) {
+  if (cbv->st_serial_stackptr + 1 >= cbv->st_serial_stacksize) {
     unsigned int newsize = cbv->st_serial_stacksize + 512;
 
     Renew(cbv->st_serial_stack, newsize, unsigned int);
  • t/deep_nesting.t+22 0 added
    @@ -0,0 +1,22 @@
+BEGIN { print "1..1\n"; }
+
+# Test for deeply nested elements to exercise st_serial_stack reallocation.
+# This catches off-by-one errors in the stack growth check (GH #39).
+
+use XML::Parser;
+
+my $depth = 600;
+
+my $xml = '';
+for my $i (1 .. $depth) {
+    $xml .= "<e$i>";
+}
+for my $i (reverse 1 .. $depth) {
+    $xml .= "</e$i>";
+}
+
+my $p = XML::Parser->new;
+eval { $p->parse($xml) };
+
+print "not " if $@;
+print "ok 1\n";

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.