Unrated severityNVD Advisory· Published Dec 26, 2019· Updated Aug 5, 2024

CVE-2019-20005

Description

An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezxml_decode, while parsing a crafted XML file, performs incorrect memory handling, leading to a heap-based buffer over-read while running strchr() starting with a pointer after a '\0' character (where the processing of a string was finished).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap buffer over-read in ezXML 0.8.3-0.8.6 allows denial of service via crafted XML.

Vulnerability

In ezXML versions 0.8.3 through 0.8.6, the function ezxml_decode mishandles memory when parsing a crafted XML file. Specifically, after copying a string including its null terminator, the subsequent strchr() call operates on a pointer that points beyond the null character, leading to a heap-based buffer over-read [1].

Exploitation

An attacker can trigger this vulnerability by providing a specially crafted XML file to be parsed by an application using ezXML. No authentication or special privileges are required; the attack is remote if the application parses XML from untrusted sources. The over-read results in a segmentation fault, as demonstrated by AddressSanitizer reports [1].

Impact

Successful exploitation causes a heap buffer over-read, which typically leads to a crash (denial of service) due to accessing memory beyond the allocated buffer. There is no indication of code execution or information disclosure in the available reference [1].

Mitigation

As of the reference publication [1], no fix is available. Users should avoid parsing untrusted XML files with affected versions of ezXML (0.8.3 through 0.8.6) or consider using alternative XML parsing libraries.

References

ezXML / Bugs / #14 Heap buffer overread (ezxml_decode)

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

ezXML/ezXMLdescription
ezXML/ezXMLllm-fuzzy
Range: >=0.8.3 <=0.8.6
osv-coords57 versions
pkg:rpm/opensuse/netcdf_4_6_1-gnu-hpc&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/netcdf_4_6_1-gnu-mpich-hpc&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/netcdf_4_6_1-gnu-mvapich2-hpc&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/netcdf_4_6_1-gnu-openmpi1-hpc&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/netcdf_4_6_1-gnu-openmpi2-hpc&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/netcdf_4_7_3-gnu-hpc&distro=openSUSE%20Leap%2015.2 pkg:rpm/opensuse/netcdf_4_7_3-gnu-hpc&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/netcdf_4_7_3-gnu-mpich-hpc&distro=openSUSE%20Leap%2015.2 pkg:rpm/opensuse/netcdf_4_7_3-gnu-mpich-hpc&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/netcdf_4_7_3-gnu-mvapich2-hpc&distro=openSUSE%20Leap%2015.2 pkg:rpm/opensuse/netcdf_4_7_3-gnu-mvapich2-hpc&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/netcdf_4_7_3-gnu-openmpi2-hpc&distro=openSUSE%20Leap%2015.2 pkg:rpm/opensuse/netcdf_4_7_3-gnu-openmpi2-hpc&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/netcdf_4_7_3-gnu-openmpi3-hpc&distro=openSUSE%20Leap%2015.2 pkg:rpm/opensuse/netcdf_4_7_3-gnu-openmpi3-hpc&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/netcdf_4_7_4-gnu-hpc&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/netcdf_4_7_4-gnu-mpich-hpc&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/netcdf_4_7_4-gnu-mvapich2-hpc&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/netcdf_4_7_4-gnu-openmpi2-hpc&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/netcdf_4_7_4-gnu-openmpi3-hpc&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/netcdf_4_7_4-gnu-openmpi4-hpc&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/netcdf&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/netcdf-openmpi2&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/netcdf-openmpi3&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/netcdf-openmpi4&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/netcdf-openmpi&distro=openSUSE%20Leap%2015.3 pkg:rpm/suse/netcdf_4_6_1-gnu-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOS pkg:rpm/suse/netcdf_4_6_1-gnu-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/netcdf_4_6_1-gnu-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOS pkg:rpm/suse/netcdf_4_6_1-gnu-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSS pkg:rpm/suse/netcdf_4_6_1-gnu-mpich-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOS pkg:rpm/suse/netcdf_4_6_1-gnu-mpich-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/netcdf_4_6_1-gnu-mpich-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOS pkg:rpm/suse/netcdf_4_6_1-gnu-mpich-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSS pkg:rpm/suse/netcdf_4_6_1-gnu-mvapich2-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOS pkg:rpm/suse/netcdf_4_6_1-gnu-mvapich2-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/netcdf_4_6_1-gnu-mvapich2-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOS pkg:rpm/suse/netcdf_4_6_1-gnu-mvapich2-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSS pkg:rpm/suse/netcdf_4_6_1-gnu-openmpi2-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOS pkg:rpm/suse/netcdf_4_6_1-gnu-openmpi2-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/netcdf_4_6_1-gnu-openmpi2-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOS pkg:rpm/suse/netcdf_4_6_1-gnu-openmpi2-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSS pkg:rpm/suse/netcdf_4_7_3-gnu-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP2 pkg:rpm/suse/netcdf_4_7_3-gnu-mpich-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP2 pkg:rpm/suse/netcdf_4_7_3-gnu-mvapich2-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP2 pkg:rpm/suse/netcdf_4_7_3-gnu-openmpi2-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP2 pkg:rpm/suse/netcdf_4_7_3-gnu-openmpi3-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP2 pkg:rpm/suse/netcdf_4_7_4-gnu-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP3 pkg:rpm/suse/netcdf_4_7_4-gnu-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3 pkg:rpm/suse/netcdf_4_7_4-gnu-mpich-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP3 pkg:rpm/suse/netcdf_4_7_4-gnu-mpich-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3 pkg:rpm/suse/netcdf_4_7_4-gnu-mvapich2-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP3 pkg:rpm/suse/netcdf_4_7_4-gnu-mvapich2-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3 pkg:rpm/suse/netcdf_4_7_4-gnu-openmpi3-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP3 pkg:rpm/suse/netcdf_4_7_4-gnu-openmpi3-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3 pkg:rpm/suse/netcdf_4_7_4-gnu-openmpi4-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP3 pkg:rpm/suse/netcdf_4_7_4-gnu-openmpi4-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3
< 4.6.1-10.7.2+ 56 more
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.7.3-lp152.2.6.1
- (no CPE)range: < 4.7.3-3.7.2
- (no CPE)range: < 4.7.3-lp152.2.6.1
- (no CPE)range: < 4.7.3-3.7.2
- (no CPE)range: < 4.7.3-lp152.2.6.1
- (no CPE)range: < 4.7.3-3.7.2
- (no CPE)range: < 4.7.3-lp152.2.6.1
- (no CPE)range: < 4.7.3-3.7.2
- (no CPE)range: < 4.7.3-lp152.2.6.1
- (no CPE)range: < 4.7.3-3.7.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.6.1-5.7.1
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.6.1-5.7.1
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-5.7.1
- (no CPE)range: < 4.6.1-5.7.1
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-5.7.1
- (no CPE)range: < 4.6.1-5.7.1
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-5.7.1
- (no CPE)range: < 4.6.1-5.7.1
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-5.7.1
- (no CPE)range: < 4.6.1-5.7.1
- (no CPE)range: < 4.7.3-3.7.2
- (no CPE)range: < 4.7.3-3.7.2
- (no CPE)range: < 4.7.3-3.7.2
- (no CPE)range: < 4.7.3-3.7.2
- (no CPE)range: < 4.7.3-3.7.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

sourceforge.net/p/ezxml/bugs/14/mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000