CVE-2026-25210

EUVD-2026-5042
In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.9 MEDIUM
LOCAL
HIGH
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
mitreCNA
6.9 MEDIUM
LOCAL
HIGH
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
expat
bookworm
no-dsa
bookworm (security)
vulnerable
bullseye
postponed
bullseye (security)
vulnerable
forky
2.7.4-1
fixed
sid
2.7.4-1
fixed
trixie
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
expat
bionic
Fixed 2.2.5-3ubuntu0.9+esm3
released
focal
Fixed 2.2.9-1ubuntu0.8+esm1
released
jammy
Fixed 2.4.7-1ubuntu0.7
released
noble
Fixed 2.6.1-2ubuntu0.4
released
questing
Fixed 2.7.1-2ubuntu0.2
released
trusty
Fixed 2.1.0-4ubuntu1.4+esm11
released
xenial
Fixed 2.1.0-7ubuntu0.16.04.5+esm11
released
coin3
bionic
needs-triage
focal
not-affected
jammy
not-affected
noble
not-affected
questing
not-affected
trusty
needs-triage
xenial
needs-triage
apache2
bionic
not-affected
focal
not-affected
jammy
not-affected
noble
not-affected
questing
not-affected
trusty
not-affected
xenial
not-affected
apr-util
bionic
not-affected
focal
not-affected
jammy
not-affected
noble
not-affected
questing
not-affected
trusty
not-affected
xenial
not-affected
cmake
bionic
not-affected
focal
not-affected
jammy
not-affected
noble
not-affected
questing
not-affected
xenial
not-affected
ghostscript
bionic
not-affected
focal
not-affected
jammy
not-affected
noble
not-affected
questing
not-affected
xenial
not-affected
texlive-bin
bionic
not-affected
focal
not-affected
jammy
not-affected
noble
not-affected
questing
not-affected
xenial
not-affected
xmlrpc-c
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
trusty
needs-triage
xenial
needs-triage
vnc4
bionic
needs-triage
jammy
dne
noble
dne
questing
dne
trusty
needs-triage
xenial
needs-triage
wbxml2
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
xenial
needs-triage
swish-e
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
xenial
needs-triage
insighttoolkit4
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
dne
questing
dne
xenial
needs-triage
cadaver
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
xenial
needs-triage
gdcm
bionic
needs-triage
focal
not-affected
jammy
not-affected
noble
not-affected
questing
not-affected
trusty
not-affected
xenial
needs-triage
ayttm
jammy
dne
noble
dne
questing
dne
xenial
needs-triage
cableswig
jammy
dne
noble
dne
questing
dne
xenial
needs-triage
matanza
bionic
needs-triage
focal
ignored
jammy
ignored
noble
ignored
questing
ignored
xenial
needs-triage
tdom
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
xenial
needs-triage
vtk
jammy
dne
noble
dne
questing
dne
trusty
needs-triage
xenial
needs-triage
smart
bionic
needs-triage
jammy
dne
noble
dne
questing
dne
xenial
needs-triage
firefox
jammy
not-affected
noble
not-affected
questing
not-affected
thunderbird
jammy
not-affected
noble
not-affected
questing
not-affected
libxmltok
bionic
Fixed 1.2-4ubuntu0.18.04.1~esm6
released
focal
Fixed 1.2-4ubuntu0.20.04.1~esm6
released
jammy
Fixed 1.2-4ubuntu0.22.04.1~esm6
released
noble
Fixed 1.2-4.1ubuntu2.24.0.4.1+esm4
released
questing
dne
xenial
Fixed 1.2-3ubuntu0.16.04.1~esm5
released
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://github.com/libexpat/libexpat/pull/1075
https://github.com/libexpat/libexpat/pull/1075/commits/9c2d990389e6abe2e44527eeaa8b39f16fe859c7