CVE-2026-56405
Description
libexpat before 2.8.2 has an integer overflow in getAttributeId.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <2.8.2
Patches
Vulnerability mechanics
Root cause
"Signed integer overflow in the loop counter `i` inside `getAttributeId` when scanning an attribute name for a prefix colon."
Attack vector
An attacker can craft a malicious XML document with an attribute name whose length is close to `INT_MAX`. When libexpat parses this document, the `getAttributeId` function increments a signed integer past `INT_MAX`, triggering undefined behavior. This can lead to memory corruption or other security impacts depending on compiler optimizations. [CWE-190]
Affected code
The vulnerability is in the function `getAttributeId` at `expat/lib/xmlparse.c:7198`. The `for (i = 0; name[i]; i++)` loop scans the attribute name for a prefix colon, and the signed integer `i` can overflow when the name length approaches `INT_MAX`, causing undefined behavior.
What the fix does
The patch adds a guard against `INT_MAX` for the loop counter `i` in `getAttributeId`, preventing the signed integer from overflowing. This is the same pattern used in sibling fixes for similar issues in other functions. The fix ensures that even if the attribute name length is at the boundary of the pool block size, the loop counter cannot wrap to negative values.
Preconditions
- inputThe attacker must supply an XML document with an attribute name whose length is near INT_MAX bytes.
- configThe application must use libexpat to parse the attacker-controlled XML.
Generated on Jun 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.