Cyber Posture

CVE-2026-25210

Medium

Published: 30 January 2026

Published
30 January 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score 6.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0001 0.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25210 is a medium-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Libexpat Project Libexpat. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068).
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Local memory corruption (integer overflow in XML buffer handling) with PR:N and high C/I impact enables code execution or data tampering within a target process, directly facilitating T1068 Exploitation for Privilege Escalation when the vulnerable library runs in a higher-privileged context.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.

Deeper analysisAI

CVE-2026-25210 is an integer overflow vulnerability (CWE-190) in the doContent function of libexpat versions prior to 2.7.4. The issue arises because there is no integer overflow check during tag buffer reallocation, leading to an improper determination of the buffer size bufSize. This flaw was published on 2026-01-30 and carries a CVSS v3.1 base score of 6.9 (Medium), with vector AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L.

A local attacker with no privileges required can exploit this vulnerability, though it demands high attack complexity and no user interaction. Successful exploitation allows high-impact confidentiality and integrity violations, such as unauthorized data disclosure or modification, alongside low availability disruption within the unchanged scope.

Mitigation is addressed in libexpat via the patch merged in pull request #1075, including the specific commit 9c2d990389e6abe2e44527eeaa8b39f16fe859c7. Security practitioners should upgrade affected libexpat instances to version 2.7.4 or later to resolve the integer overflow.

Details

CWE(s)
CWE-190

Affected Products

libexpat project
libexpat
≤ 2.7.4

CVEs Like This One

CVE-2026-41080Same product: Libexpat Project Libexpat
CVE-2025-24156Shared CWE-190
CVE-2026-0031Shared CWE-190
CVE-2026-0861Shared CWE-190
CVE-2026-37540Shared CWE-190
CVE-2025-33218Shared CWE-190
CVE-2026-21385Shared CWE-190
CVE-2025-0587Shared CWE-190
CVE-2026-31648Shared CWE-190
CVE-2024-40635Shared CWE-190

References