Cyber Resilience

CVE-2006-10003

CriticalUpdated

Published: 19 March 2026

Published
19 March 2026
Modified
30 June 2026
KEV Added
Patch
19 March 2026
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0051 39.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2006-10003 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Toddr Xml\. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2006-10003 is an off-by-one heap buffer overflow in the st_serial_stack function of XML::Parser versions through 2.47 for Perl. The vulnerability arises when stackptr equals stacksize - 1; in this case, the stack is not expanded, and the subsequent increment of stackptr to stacksize results in a write just outside the allocated buffer. It manifests when parsing an XML file with very deep element nesting and is classified under CWE-122 (heap-based buffer overflow) and CWE-193 (off-by-one error).

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low attack complexity, requiring no privileges or user interaction, and unchanged scope. A remote unauthenticated attacker can supply a specially crafted XML document featuring excessive nesting depth to trigger the heap overflow, potentially achieving high-impact confidentiality, integrity, and availability violations such as arbitrary code execution.

Advisories and patches address mitigation through updating XML::Parser. A fix is provided in the GitHub commit at https://github.com/cpan-authors/XML-Parser/commit/3eb9cc95420fa0c3f76947c4708962546bf27cfd.patch, with discussions in the repository issue https://github.com/cpan-authors/XML-Parser/issues/39, CPAN RT ticket #19860 at https://rt.cpan.org/Ticket/Display.html?id=19860, the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/03/19/2, and Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2026/04/msg00002.html.

EU & UK References

Vulnerability details

XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack. In the case (stackptr == stacksize - 1), the stack will NOT be expanded. Then the new value will be written at location (++stackptr), which equals…

more

stacksize and therefore falls just outside the allocated buffer. The bug can be observed when parsing an XML file with very deep element nesting

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated heap buffer overflow in XML parser library enables arbitrary code execution via crafted input over the network, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2006-10002Same product: Toddr Xml\
CVE-2026-4177Same vendor: Toddr
CVE-2026-48689Shared CWE-122, CWE-193
CVE-2025-53511Shared CWE-122
CVE-2026-20868Shared CWE-122
CVE-2026-0006Shared CWE-122
CVE-2026-22828Shared CWE-122
CVE-2026-4395Shared CWE-122
CVE-2025-23317Shared CWE-122
CVE-2025-67896Shared CWE-122

Affected Assets

toddr
xml\
\

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely identification, prioritization, and remediation of software flaws like the heap buffer overflow in XML::Parser through patching to version beyond 2.47.

prevent

Implements memory protection mechanisms such as address space layout randomization, data execution prevention, and heap hardening to mitigate exploitation of the off-by-one heap buffer overflow.

prevent

Requires validation of XML inputs to detect and reject specially crafted documents with excessive nesting depth that trigger the st_serial_stack overflow.

References