CVE-2026-24515
BaseFortify
Publication date: 2026-01-23
Last updated on: 2026-02-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libexpat_project | libexpat | to 2.7.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in libexpat before version 2.7.4 involves the function XML_ExternalEntityParserCreate not properly copying the user data associated with unknown encoding handlers. This improper handling could lead to incorrect use or handling of that user data, potentially affecting the security or stability of applications that use libexpat for XML parsing. The issue was fixed by ensuring the function correctly copies this user data. [1]
How can this vulnerability impact me? :
The vulnerability could impact you by causing incorrect handling or misuse of user data related to unknown encoding handlers in XML parsing. This might lead to security or stability issues in applications relying on libexpat, such as unexpected behavior or potential exploitation due to improper data handling during external entity parsing. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update libexpat to version 2.7.4 or later, where the issue with XML_ExternalEntityParserCreate not copying unknown encoding handler user data has been fixed. Applying this update ensures proper handling of user data for unknown encoding handlers and mitigates the security risk. [1]