Skip to main content

Libexpat CVE-2026-32777

| EUVDEUVD-2026-12349 MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-03-16 mitre
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
4.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Jul 14, 2026 - 13:22 NVD
4.0 (MEDIUM) 5.5 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
2.7.5
EUVD ID Assigned
Mar 16, 2026 - 09:00 euvd
EUVD-2026-12349
Analysis Generated
Mar 16, 2026 - 09:00 vuln.today
CVE Published
Mar 16, 2026 - 06:58 nvd
MEDIUM 4.0

DescriptionNVD

libexpat before 2.7.5 allows an infinite loop while parsing DTD content.

AnalysisAI

libexpat before version 2.7.5 contains an infinite loop vulnerability triggered during DTD (Document Type Definition) parsing, allowing local attackers to cause a denial of service condition. The vulnerability affects all applications and libraries that depend on libexpat for XML parsing, with a CVSS score of 4.0 reflecting limited severity due to local-only attack vector and availability impact. While the CVSS base score is moderate, the infinite loop condition presents a real denial of service risk for services that parse untrusted XML documents containing malicious DTD content.

Technical ContextAI

libexpat is a widely-used C library for parsing XML documents (CPE: cpe:2.3:a:libexpat:libexpat). The vulnerability exists in the DTD parsing logic, which processes Document Type Definition declarations that can include entity definitions, attribute declarations, and notation declarations. The root cause is classified under CWE-835 (Infinite Loop), indicating that the parser enters an unbounded loop condition when processing certain DTD constructs rather than properly terminating parsing or raising an error. This is a classic resource exhaustion vulnerability where malformed or specifically crafted DTD content causes the parser to consume CPU resources indefinitely, preventing normal operation of any application using the affected libexpat version for XML parsing operations.

RemediationAI

Upgrade libexpat to version 2.7.5 or later immediately. On Linux systems, use your distribution's package manager (apt, yum, dnf, etc.) to update libexpat and any dependent packages. For applications that embed libexpat, update to the latest version of that application which includes the patched libexpat library. Until patching is completed, restrict local access to systems parsing untrusted XML content and consider implementing input validation or XML parsing timeouts at the application level to detect and interrupt infinite loops. If your organization cannot patch immediately, disable XML DTD processing where possible via application configuration settings, as many XML parsers offer options to restrict DTD parsing to reduce attack surface.

CVE-2022-25315 CRITICAL POC
9.8 Feb 18

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. Rated critical severity (CVSS 9.8),

CVE-2017-9233 HIGH POC
7.5 Jul 25

XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the p

CVE-2026-45186 HIGH POC
7.5 May 10

Denial of service in libexpat before 2.8.1 lets remote attackers exhaust CPU by submitting moderately sized crafted XML

CVE-2022-43680 HIGH POC
7.5 Oct 24

In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEnti

CVE-2019-15903 HIGH POC
7.5 Sep 04

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too

CVE-2013-0340 MEDIUM POC
6.8 Jan 21

expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetE

CVE-2016-0718 CRITICAL
9.8 May 26

Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a m

CVE-2024-45492 CRITICAL
9.8 Aug 30

An issue was discovered in libexpat before 2.6.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp

CVE-2024-45491 CRITICAL
9.8 Aug 30

An issue was discovered in libexpat before 2.6.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp

CVE-2016-4472 HIGH
8.1 Jun 30

The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attacke

CVE-2022-40674 HIGH
8.1 Sep 14

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. Rated high severity (CVSS 8.1), this

CVE-2016-5300 HIGH
7.5 Jun 16

The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attacker

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Container suse/ltss/sle12.5/sles12sp5:8.5.217 Affected
Container suse/manager/4.3/proxy-httpd:latest Container suse/manager/4.3/proxy-salt-broker:4.3.17.9.66.5 Container suse/manager/4.3/proxy-ssh:latest Container suse/manager/4.3/proxy-tftpd:4.3.17.9.66.5 Container suse/sle-micro/base-5.5:latest Container suse/sle-micro/kvm-5.5:latest Image SLES15-SP5-Micro-5-5 Image SLES15-SP5-Micro-5-5-Azure Affected
Container suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.156 Container suse/sl-micro/6.0/base-os-container:2.1.3-7.123 Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.140 Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.154 Container suse/sl-micro/6.0/toolbox:13.2-9.91 Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.86 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.110 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.112 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.100 Image SL-Micro Affected
Container suse/sle-micro-rancher/5.2:latest Container suse/sle-micro/5.2/toolbox:14.2-7.11.264 Affected
Container suse/sles/16.0/toolbox:16.3-1.42 Affected

Share

CVE-2026-32777 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy