Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

CVE-2006-10003 | Mondoo Vulnerability Intelligence

Vulnerability IntelligenceCVE-2006-10003

CVE-2006-10003

CRITICAL9.8

XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack

Published Mar 19, 2026

Modified 2 weeks ago

Details

XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack.

In the case (stackptr == stacksize - 1), the stack will NOT be expanded. Then the new value will be written at location (++stackptr), which equals stacksize and therefore falls just outside the allocated buffer.

The bug can be observed when parsing an XML file with very deep element nesting

References

WEB

http://www.openwall.com/lists/oss-security/2026/03/19/2

FIX

https://github.com/cpan-authors/XML-Parser/commit/3eb9cc95420fa0c3f76947c4708962546bf27cfd.patch

WEB

https://github.com/cpan-authors/XML-Parser/issues/39

WEB

https://lists.debian.org/debian-lts-announce/2026/04/msg00002.html

WEB

https://rt.cpan.org/Ticket/Display.html?id=19860

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2006-10003

CVSS Analysis

CVSS v3.1

9.8

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

HighC:H

Integrity

HighI:H

Availability

HighA:H

9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness Type (CWE)

Other

CWE-122

CWE-193

Ecosystems

Timeline

PublishedMar 19, 2026

ModifiedApr 4, 2026