Cyber Resilience

CVE-2006-10002

High

Published: 19 March 2026

Published
19 March 2026
Modified
23 March 2026
KEV Added
Patch
19 March 2026
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0060 44.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2006-10002 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Toddr Xml\. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 44.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2006-10002 is a heap-based buffer overflow vulnerability in XML::Parser versions through 2.45 for Perl. The issue occurs in the parse_stream() function within Expat.xs when using the :utf8 PerlIO layer. Perl's read() operation returns decoded characters, but SvPV() retrieves multi-byte UTF-8 bytes, which can exceed the pre-allocated XML input buffer size. This leads to heap corruption, such as double free or corruption, resulting in crashes. The vulnerability is classified under CWE-122 (Heap-based Buffer Overflow) and CWE-176 (Improper Handling of Unicode Encoding), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Remote attackers can exploit this vulnerability without privileges or user interaction by supplying crafted XML input over the network. Successful exploitation triggers heap corruption, causing denial-of-service through application crashes, with no impact on confidentiality or integrity.

Advisories and patches recommend upgrading to XML::Parser version 2.46, which addresses the buffer overflow via a commit in the CPAN authors' GitHub repository (56b0509dfc6b559cd7555ea81ee62e3622069255). Related discussions appear in GitHub issue #64, the release changes on MetaCPAN, RT ticket #19859, and an oss-security mailing list post from March 19, 2026.

EU & UK References

Vulnerability details

XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes. A :utf8 PerlIO layer, parse_stream() in Expat.xs could overflow the XML input buffer because Perl's read() returns decoded…

more

characters while SvPV() gives back multi-byte UTF-8 bytes that can exceed the pre-allocated buffer size. This can cause heap corruption (double free or corruption) and crashes.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct heap buffer overflow in network-facing XML parser enables remote DoS via crafted input causing application crash (CWE-122).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2006-10003Same product: Toddr Xml\
CVE-2026-7040Shared CWE-122, CWE-176
CVE-2026-4177Same vendor: Toddr
CVE-2025-0755Shared CWE-122
CVE-2026-7378Shared CWE-122
CVE-2026-30999Shared CWE-122
CVE-2026-33602Shared CWE-122
CVE-2026-24679Shared CWE-122
CVE-2025-70122Shared CWE-122
CVE-2025-32990Shared CWE-122

Affected Assets

toddr
xml\
\

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely flaw remediation by upgrading XML::Parser to version 2.46, directly eliminating the heap buffer overflow vulnerability.

prevent

Mandates validation of XML inputs to detect and reject crafted data that could exceed pre-allocated buffers due to UTF-8 decoding mismatches.

prevent

Implements memory protections like heap randomization and guard pages to mitigate corruption from heap-based buffer overflows.

References