Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionNVD
libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.
AnalysisAI
libexpat before version 2.7.5 contains a NULL pointer dereference vulnerability in the setContext function that occurs when the library retries operations following an out-of-memory condition. This flaw affects all users of vulnerable libexpat versions and can result in application crashes leading to denial of service. While the CVSS score of 2.9 is low and exploitation requires specific local conditions and high complexity, this vulnerability represents a stability risk for XML parsing operations in memory-constrained or stressed environments.
Technical ContextAI
libexpat is a widely-used C library for parsing XML documents, commonly integrated into applications, web servers, and system utilities. The vulnerability exists in the setContext function's error-handling path, specifically in CWE-476 (NULL Pointer Dereference). The root cause stems from improper state management when memory allocation fails; the function attempts to dereference a pointer that was not properly validated or reset after an earlier out-of-memory condition, rather than gracefully handling the retry scenario. This is a memory safety issue typical in C libraries where manual memory management and explicit error handling are required. The affected CPE signature is cpe:2.3:a:libexpat:expat, with vulnerable versions spanning the entire 2.x series prior to 2.7.5.
RemediationAI
Upgrade libexpat to version 2.7.5 or later immediately. For systems using Python, update to a version with the patched libexpat dependency; for systems using curl or Apache, patch those packages to versions incorporating the fixed libexpat library. If immediate patching is not feasible, mitigate by limiting memory-constrained execution environments, implementing resource quotas to prevent out-of-memory conditions, and monitoring application logs for XML parsing errors or unexpected crashes. Where possible, validate and pre-allocate sufficient memory before XML parsing operations. Refer to the official libexpat security advisories and release notes at https://github.com/libexpat/libexpat/releases for patch verification and detailed installation instructions specific to your platform.
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. Rated critical severity (CVSS 9.8),
XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the p
Denial of service in libexpat before 2.8.1 lets remote attackers exhaust CPU by submitting moderately sized crafted XML
In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEnti
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too
expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetE
Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a m
An issue was discovered in libexpat before 2.6.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp
An issue was discovered in libexpat before 2.6.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp
The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attacke
libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. Rated high severity (CVSS 8.1), this
The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attacker
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12351