Nixpkgs security tracker
NIXPKGS-2026-0852
GitHub issue
published 2 months, 3 weeks ago
Permalink
CVE-2026-5037
3.3 LOW
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Local (L)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): None (N)
- Availability (A): Low (L)
- Exploit Code Maturity (E): Proof-of-Concept (P)
- Remediation Level (RL): Official Fix (O)
- Report Confidence (RC): Confirmed (C)
- Modified Attack Vector (MAV): Local (L)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): Low (L)
by @mweinelt Activity log
- Created suggestion
- @mweinelt accepted
- @mweinelt published on GitHub
mxml mxmlIndexNew mxml-index.c index_sort stack-based overflow
A vulnerability was determined in mxml up to 4.0.4. This issue affects the function index_sort of the file mxml-index.c of the component mxmlIndexNew. Executing a manipulation of the argument tempr can lead to stack-based buffer overflow. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called 6e27354466092a1ac65601e01ce6708710bb9fa5. A patch should be applied to remediate this issue.
References
-
VDB-353963 | mxml mxmlIndexNew mxml-index.c index_sort stack-based overflow technical-descriptionvdb-entry
-
-
Submit #778638 | michaelrsweet mxml 4.0.4 Heap-based Buffer Overflow third-party-advisory
-
https://github.com/michaelrsweet/mxml/issues/350 issue-tracking
Affected products
mxml
- ==4.0.2
- ==4.0.0
- ==4.0.1
- ==4.0.3
- ==4.0.4