CVE-2026-50219: Use After Free

Q: What is the severity of CVE-2026-50219?

The severity of CVE-2026-50219 is medium with a score of 4.9.

Q: What is the main issue described in CVE-2026-50219?

CVE-2026-50219 describes a use-after-free vulnerability in libexpat before version 2.8.2 due to lack of handler call depth tracking.

Q: How do I fix CVE-2026-50219?

To fix CVE-2026-50219, upgrade to libexpat version 2.8.2 or later.

Q: What can exploit CVE-2026-50219?

CVE-2026-50219 can potentially be exploited in cases of policy violation during handler calls that attempt to access freed memory.

Q: Which functions are affected by CVE-2026-50219?

CVE-2026-50219 affects functions including XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, and XML_ParserReset.

Published Jun 4, 2026

Updated

libexpat before 2.8.2 lacks handler call depth tracking for calls to XMLGetBuffer, XMLParse, XMLParseBuffer, XMLParserFree, or XMLParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,

Affected Software

2 affected components

Expat libexpat<2.8.2

Libexpat Project Libexpat<2.8.2

Remediation

Patch Available

https://github.com/libexpat/libexpat/pull/1246

Event History

Jun 4, 2026

CVE Published

via MITRE·04:20 AM

Data Sourced

via MITRE·04:20 AM

DescriptionSeverityWeakness

Data Sourced

via NVD·06:16 AM

RemedyDescriptionSeverityWeaknessAffected Software

Frequently Asked Questions

What is the severity of CVE-2026-50219?

The severity of CVE-2026-50219 is medium with a score of 4.9.

What is the main issue described in CVE-2026-50219?

CVE-2026-50219 describes a use-after-free vulnerability in libexpat before version 2.8.2 due to lack of handler call depth tracking.

How do I fix CVE-2026-50219?