XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack. In the case (stackptr == stacksize - 1), the stack will NOT be expanded. Then the new value will be written at location (++stackptr), which equals stacksize and therefore falls just outside the allocated buffer.
The bug can be observed when parsing an XML file with very deep element nesting
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Toddr Xml\
cpe:2.3:a:toddr:xml\:\:parser:*:*:*:*:*:perl:*:*
|
— |
2.48
|
References 5
https://github.com/cpan-authors/XML-Parser/commit/3eb9cc95420fa0c3f76947c470896…
9b29abf9-4ab0-4765-b253-1875cd9b441e
https://github.com/cpan-authors/XML-Parser/issues/39
9b29abf9-4ab0-4765-b253-1875cd9b441e
https://rt.cpan.org/Ticket/Display.html?id=19860
9b29abf9-4ab0-4765-b253-1875cd9b441e
http://www.openwall.com/lists/oss-security/2026/03/19/2
af854a3a-2127-422b-91ae-364da2661108
https://lists.debian.org/debian-lts-announce/2026/04/msg00002.html
af854a3a-2127-422b-91ae-364da2661108