CVE-2021-31348
Description
An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_parse_str() performs incorrect memory handling while parsing crafted XML files (out-of-bounds read after a certain strcspn failure).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ezXML 0.8.6 has an out-of-bounds read/write in ezxml_parse_str() when parsing crafted XML, leading to crash or potential information disclosure.
Vulnerability
In ezXML version 0.8.6, the function ezxml_parse_str() performs incorrect memory handling while parsing crafted XML files. Specifically, after a strcspn failure, an out-of-bounds read occurs, leading to an out-of-bounds write at lines 586 and 587 of ezxml.c. This issue is triggered when EZXML_NOMMAP is not defined, as memory mapping is used in ezxml_parse_fd() [1].
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted XML file to an application that uses the ezXML library. No authentication or special privileges are required; the attacker only needs the ability to supply the malicious XML input. The out-of-bounds write occurs when the library attempts to write past the mmap'ed memory region used for reading the file, resulting in a crash [1].
Impact
Successful exploitation leads to a denial of service due to a crash. Additionally, the out-of-bounds read may disclose sensitive information from adjacent memory. The vulnerability does not appear to allow remote code execution based on the available information [1].
Mitigation
As of the publication date (2021-04-16), no fix has been released for this vulnerability. The bug report on SourceForge remains open [1]. Users are advised to avoid parsing untrusted XML with ezXML 0.8.6 or consider using an alternative XML parsing library until a patch is available.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
59- ezXML/ezXMLdescription
- osv-coords57 versionspkg:rpm/opensuse/netcdf_4_6_1-gnu-hpc&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/netcdf_4_6_1-gnu-mpich-hpc&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/netcdf_4_6_1-gnu-mvapich2-hpc&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/netcdf_4_6_1-gnu-openmpi1-hpc&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/netcdf_4_6_1-gnu-openmpi2-hpc&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/netcdf_4_7_3-gnu-hpc&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/netcdf_4_7_3-gnu-hpc&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/netcdf_4_7_3-gnu-mpich-hpc&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/netcdf_4_7_3-gnu-mpich-hpc&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/netcdf_4_7_3-gnu-mvapich2-hpc&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/netcdf_4_7_3-gnu-mvapich2-hpc&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/netcdf_4_7_3-gnu-openmpi2-hpc&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/netcdf_4_7_3-gnu-openmpi2-hpc&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/netcdf_4_7_3-gnu-openmpi3-hpc&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/netcdf_4_7_3-gnu-openmpi3-hpc&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/netcdf_4_7_4-gnu-hpc&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/netcdf_4_7_4-gnu-mpich-hpc&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/netcdf_4_7_4-gnu-mvapich2-hpc&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/netcdf_4_7_4-gnu-openmpi2-hpc&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/netcdf_4_7_4-gnu-openmpi3-hpc&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/netcdf_4_7_4-gnu-openmpi4-hpc&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/netcdf&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/netcdf-openmpi2&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/netcdf-openmpi3&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/netcdf-openmpi4&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/netcdf-openmpi&distro=openSUSE%20Leap%2015.3pkg:rpm/suse/netcdf_4_6_1-gnu-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/netcdf_4_6_1-gnu-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/netcdf_4_6_1-gnu-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/netcdf_4_6_1-gnu-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/netcdf_4_6_1-gnu-mpich-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/netcdf_4_6_1-gnu-mpich-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/netcdf_4_6_1-gnu-mpich-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/netcdf_4_6_1-gnu-mpich-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/netcdf_4_6_1-gnu-mvapich2-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/netcdf_4_6_1-gnu-mvapich2-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/netcdf_4_6_1-gnu-mvapich2-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/netcdf_4_6_1-gnu-mvapich2-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/netcdf_4_6_1-gnu-openmpi2-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/netcdf_4_6_1-gnu-openmpi2-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/netcdf_4_6_1-gnu-openmpi2-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/netcdf_4_6_1-gnu-openmpi2-hpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/netcdf_4_7_3-gnu-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP2pkg:rpm/suse/netcdf_4_7_3-gnu-mpich-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP2pkg:rpm/suse/netcdf_4_7_3-gnu-mvapich2-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP2pkg:rpm/suse/netcdf_4_7_3-gnu-openmpi2-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP2pkg:rpm/suse/netcdf_4_7_3-gnu-openmpi3-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP2pkg:rpm/suse/netcdf_4_7_4-gnu-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP3pkg:rpm/suse/netcdf_4_7_4-gnu-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3pkg:rpm/suse/netcdf_4_7_4-gnu-mpich-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP3pkg:rpm/suse/netcdf_4_7_4-gnu-mpich-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3pkg:rpm/suse/netcdf_4_7_4-gnu-mvapich2-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP3pkg:rpm/suse/netcdf_4_7_4-gnu-mvapich2-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3pkg:rpm/suse/netcdf_4_7_4-gnu-openmpi3-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP3pkg:rpm/suse/netcdf_4_7_4-gnu-openmpi3-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3pkg:rpm/suse/netcdf_4_7_4-gnu-openmpi4-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20HPC%2015%20SP3pkg:rpm/suse/netcdf_4_7_4-gnu-openmpi4-hpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3
< 4.6.1-10.7.2+ 56 more
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.7.3-lp152.2.6.1
- (no CPE)range: < 4.7.3-3.7.2
- (no CPE)range: < 4.7.3-lp152.2.6.1
- (no CPE)range: < 4.7.3-3.7.2
- (no CPE)range: < 4.7.3-lp152.2.6.1
- (no CPE)range: < 4.7.3-3.7.2
- (no CPE)range: < 4.7.3-lp152.2.6.1
- (no CPE)range: < 4.7.3-3.7.2
- (no CPE)range: < 4.7.3-lp152.2.6.1
- (no CPE)range: < 4.7.3-3.7.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.6.1-5.7.1
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.6.1-5.7.1
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-5.7.1
- (no CPE)range: < 4.6.1-5.7.1
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-5.7.1
- (no CPE)range: < 4.6.1-5.7.1
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-5.7.1
- (no CPE)range: < 4.6.1-5.7.1
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-10.7.2
- (no CPE)range: < 4.6.1-5.7.1
- (no CPE)range: < 4.6.1-5.7.1
- (no CPE)range: < 4.7.3-3.7.2
- (no CPE)range: < 4.7.3-3.7.2
- (no CPE)range: < 4.7.3-3.7.2
- (no CPE)range: < 4.7.3-3.7.2
- (no CPE)range: < 4.7.3-3.7.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
- (no CPE)range: < 4.7.4-4.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- lists.debian.org/debian-lts-announce/2021/07/msg00005.htmlmitremailing-listx_refsource_MLIST
- sourceforge.net/p/ezxml/bugs/27/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.