VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 26, 2019· Updated Aug 5, 2024

CVE-2019-20006

CVE-2019-20006

Description

An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezxml_char_content puts a pointer to the internal address of a larger block as xml->txt. This is later deallocated (using free), leading to a segmentation fault.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ezXML 0.8.3–0.8.6 frees a non-heap pointer in ezxml_char_content, causing a segmentation fault when parsing crafted XML.

Vulnerability

In ezXML versions 0.8.3 through 0.8.6, the function ezxml_char_content incorrectly sets xml->txt to point to an internal address within a larger allocated block rather than to a separately allocated string. Later, ezxml_free attempts to free this internal pointer using free(), which is only valid for addresses returned by malloc(). This leads to a segmentation fault or a "bad free" error as reported by AddressSanitizer [1]. The bug is triggered when parsing a specially crafted XML file that causes ezxml_char_content to be called with content that shares a buffer with the parent node [1].

Exploitation

An attacker needs only to provide a malicious XML file to be parsed by an application using ezXML. No authentication or special network position is required if the application parses untrusted XML input. The crash occurs deterministically when ezxml_parse_file (or similar parsing functions) processes the crafted file, and ezxml_free is later called on the resulting tree [1]. The attached reproduction in the bug report uses a minimal crashing XML file named crash_006_bad_free.xml [1].

Impact

Successful exploitation causes a segmentation fault (denial of service). The attacker can crash the application by providing a crafted XML file. The vulnerability is limited to denial of service; there is no indication of code execution or information disclosure from the available references [1].

Mitigation

The ezXML project appears unmaintained, and no official patch has been released as of the CVE publication date. Users are advised to avoid using versions 0.8.3 through 0.8.6 or to handle parsing errors gracefully. Since no fixed version is available, applications should not rely on ezXML for parsing untrusted XML input. The bug is not listed in the CISA KEV catalog.

References
  1. ezXML / Bugs / #15 Using free on not allocated memory block (ezxml_char_content)

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

59

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.