CVE Vulnerabilities

CVE-2026-56132

Incorrect Synchronization

Published: Jun 19, 2026 | Modified: Jun 23, 2026
CVSS 3.x
6.9
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
CVSS 2.x
RedHat/V2
RedHat/V3
6.9 MODERATE
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers.

Weakness

The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource.

Affected Software

NameVendorStart VersionEnd Version
LibexpatLibexpat_project*2.8.2 (excluding)
Red Hat Hardened ImagesRedHatexpat-main-2.8.2-1.hum1*
CadaverUbuntuquesting*
ExpatUbuntuquesting*
MatanzaUbuntudevel*
MatanzaUbuntuesm-apps/focal*
MatanzaUbuntuesm-apps/jammy*
MatanzaUbuntuesm-apps/noble*
MatanzaUbuntuesm-apps/resolute*
MatanzaUbuntujammy*
MatanzaUbuntunoble*
MatanzaUbuntuquesting*
MatanzaUbunturesolute*
Swish-eUbuntuquesting*
TdomUbuntuquesting*
Wbxml2Ubuntuquesting*
Xmlrpc-cUbuntuquesting*

References