A critical heap buffer overflow in the Perl XML::Parser module allows unauthenticated attackers to cause a denial-of-service or potentially execute arbitrary code via specially crafted XML files.

This vulnerability is a heap-based buffer overflow resulting from an off-by-one error in the st_serial_stack function. An unauthenticated attacker can exploit this flaw by submitting an XML file with extremely deep element nesting, which bypasses stack expansion checks and writes data outside the allocated buffer.

A successful exploit of this vulnerability could lead to immediate application instability or a complete system crash, resulting in significant service downtime. Given the CVSS score of 9.8, the flaw also carries a theoretical risk of remote code execution, which would allow an attacker to compromise the integrity of the host server and access sensitive data. Organizations relying on legacy Perl environments for XML processing are at the highest risk.

Immediate Action: Update the XML::Parser module to the latest available version (2.48 or higher) via CPAN or the relevant system package manager.

Proactive Monitoring: Implement monitoring for unusual application crashes or segmentation faults specifically occurring during XML parsing tasks.

Compensating Controls: Deploy a Web Application Firewall (WAF) or an XML Gateway to enforce maximum nesting depth limits on all incoming XML payloads.

Public Exploit Available: No

The severity of this heap overflow necessitates immediate remediation, especially for high-availability systems. Administrators should prioritize updating the Perl XML::Parser library across all production and development environments. If patching is not immediately feasible, strict input validation on XML depth must be enforced at the network perimeter.