Cyber Resilience

CVE-2026-25210

MediumUpdated

Published: 30 January 2026

Published
30 January 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 6.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0001 0.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25210 is a medium-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Libexpat Project Libexpat. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25210 is an integer overflow vulnerability (CWE-190) in the doContent function of libexpat versions prior to 2.7.4. The issue arises because there is no integer overflow check during tag buffer reallocation, leading to an improper determination of the buffer size bufSize. This flaw was published on 2026-01-30 and carries a CVSS v3.1 base score of 6.9 (Medium), with vector AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L.

A local attacker with no privileges required can exploit this vulnerability, though it demands high attack complexity and no user interaction. Successful exploitation allows high-impact confidentiality and integrity violations, such as unauthorized data disclosure or modification, alongside low availability disruption within the unchanged scope.

Mitigation is addressed in libexpat via the patch merged in pull request #1075, including the specific commit 9c2d990389e6abe2e44527eeaa8b39f16fe859c7. Security practitioners should upgrade affected libexpat instances to version 2.7.4 or later to resolve the integer overflow.

EU & UK References

Vulnerability details

In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local memory corruption (integer overflow in XML buffer handling) with PR:N and high C/I impact enables code execution or data tampering within a target process, directly facilitating T1068 Exploitation for Privilege Escalation when the vulnerable library runs in a higher-privileged context.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-41080Same product: Libexpat Project Libexpat
CVE-2025-0587Shared CWE-190
CVE-2025-24156Shared CWE-190
CVE-2025-33219Shared CWE-190
CVE-2025-47363Shared CWE-190
CVE-2024-34733Shared CWE-190
CVE-2026-0028Shared CWE-190
CVE-2026-35415Shared CWE-190
CVE-2025-23016Shared CWE-190
CVE-2025-33218Shared CWE-190

Affected Assets

libexpat project
libexpat
≤ 2.7.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch (libexpat 2.7.4+) that adds the missing integer-overflow check in doContent buffer reallocation.

prevent

Mandates validation of numeric inputs and size calculations, exactly the integer-overflow check absent from tag-buffer reallocation in doContent.

detect

Requires integrity verification of software components, enabling detection of an unpatched or tampered libexpat binary that still contains the flawed doContent logic.

References