Executive Summary

CVE-2026-32776 is a vulnerability in libexpat before version 2.7.5 that causes a NULL pointer dereference when processing empty external parameter entities in XML entity declarations.

Specifically, when an external parameter entity with empty content is referenced, the parser receives zero bytes of input. This leads to a situation where certain internal arrays used for scanning XML content are not properly initialized. As a result, the function XmlEntityValueTok() attempts to call through a NULL pointer, causing a segmentation fault (crash).

The issue arises because encoding detection does not occur with empty input, leaving some internal structures uninitialized. The fix implemented in version 2.7.5 skips processing when no input is present and ensures pointers are properly initialized to prevent the NULL dereference.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the libexpat parser to crash due to a NULL pointer dereference when processing specially crafted XML input containing empty external parameter entities.

Such crashes can lead to denial of service (DoS) conditions in applications that rely on libexpat for XML parsing, potentially disrupting normal operation.

Since the CVSS base score is 4.0 with an impact on availability only, the primary impact is service interruption rather than data confidentiality or integrity loss.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

I don't know

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability CVE-2026-32776 in libexpat is fixed in version 2.7.5, which is targeted for release in April 2026.

To mitigate this vulnerability immediately, you should upgrade your libexpat library to version 2.7.5 or later once it becomes available.

The fix prevents NULL function-pointer dereference by skipping processing of empty external parameter entities and properly initializing pointers to avoid crashes.

Useful 0 Not Useful 0