Skip to main content

Libexpat CVE-2026-32778

| EUVDEUVD-2026-12351 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-03-16 mitre
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Severity Changed
Jul 14, 2026 - 13:22 NVD
LOW MEDIUM
CVSS changed
Jul 14, 2026 - 13:22 NVD
2.9 (LOW) 5.5 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
2.7.5
EUVD ID Assigned
Mar 16, 2026 - 09:00 euvd
EUVD-2026-12351
Analysis Generated
Mar 16, 2026 - 09:00 vuln.today
CVE Published
Mar 16, 2026 - 07:02 nvd
LOW 2.9

DescriptionNVD

libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.

AnalysisAI

libexpat before version 2.7.5 contains a NULL pointer dereference vulnerability in the setContext function that occurs when the library retries operations following an out-of-memory condition. This flaw affects all users of vulnerable libexpat versions and can result in application crashes leading to denial of service. While the CVSS score of 2.9 is low and exploitation requires specific local conditions and high complexity, this vulnerability represents a stability risk for XML parsing operations in memory-constrained or stressed environments.

Technical ContextAI

libexpat is a widely-used C library for parsing XML documents, commonly integrated into applications, web servers, and system utilities. The vulnerability exists in the setContext function's error-handling path, specifically in CWE-476 (NULL Pointer Dereference). The root cause stems from improper state management when memory allocation fails; the function attempts to dereference a pointer that was not properly validated or reset after an earlier out-of-memory condition, rather than gracefully handling the retry scenario. This is a memory safety issue typical in C libraries where manual memory management and explicit error handling are required. The affected CPE signature is cpe:2.3:a:libexpat:expat, with vulnerable versions spanning the entire 2.x series prior to 2.7.5.

RemediationAI

Upgrade libexpat to version 2.7.5 or later immediately. For systems using Python, update to a version with the patched libexpat dependency; for systems using curl or Apache, patch those packages to versions incorporating the fixed libexpat library. If immediate patching is not feasible, mitigate by limiting memory-constrained execution environments, implementing resource quotas to prevent out-of-memory conditions, and monitoring application logs for XML parsing errors or unexpected crashes. Where possible, validate and pre-allocate sufficient memory before XML parsing operations. Refer to the official libexpat security advisories and release notes at https://github.com/libexpat/libexpat/releases for patch verification and detailed installation instructions specific to your platform.

CVE-2022-25315 CRITICAL POC
9.8 Feb 18

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. Rated critical severity (CVSS 9.8),

CVE-2017-9233 HIGH POC
7.5 Jul 25

XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the p

CVE-2026-45186 HIGH POC
7.5 May 10

Denial of service in libexpat before 2.8.1 lets remote attackers exhaust CPU by submitting moderately sized crafted XML

CVE-2022-43680 HIGH POC
7.5 Oct 24

In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEnti

CVE-2019-15903 HIGH POC
7.5 Sep 04

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too

CVE-2013-0340 MEDIUM POC
6.8 Jan 21

expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetE

CVE-2016-0718 CRITICAL
9.8 May 26

Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a m

CVE-2024-45492 CRITICAL
9.8 Aug 30

An issue was discovered in libexpat before 2.6.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp

CVE-2024-45491 CRITICAL
9.8 Aug 30

An issue was discovered in libexpat before 2.6.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp

CVE-2016-4472 HIGH
8.1 Jun 30

The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attacke

CVE-2022-40674 HIGH
8.1 Sep 14

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. Rated high severity (CVSS 8.1), this

CVE-2016-5300 HIGH
7.5 Jun 16

The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attacker

Share

CVE-2026-32778 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy