TL;DR: I found a XML bug in Apache Xerces by fuzzing, but it turned out that a fix was already pending but not committed.
So in spare time, after giving a try to expat in another post, I decided to switch to Apache Xerces, another xml parser written in C/C++.
I reported the UAF on oss, but Gustavo Grieco (kudos) pointed me out that he already disclosed the same bug, and a fix was pending but not committed. (CVE-2016-2099)
Here you can see the crash (StdInParse is just a tool that takes from stdin the xml):
And you can download the minimized test case here