CVE-2026-32776
Null Pointer Dereference in libexpat < 2.7.5 via Empty External Entity
Publication date: 2026-03-16
Last updated on: 2026-03-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libexpat_project | libexpat | to 2.7.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32776 is a vulnerability in libexpat before version 2.7.5 that causes a NULL pointer dereference when processing empty external parameter entities in XML entity declarations.
Specifically, when an external parameter entity with empty content is referenced, the parser receives zero bytes of input. This leads to a situation where certain internal arrays used for scanning XML content are not properly initialized. As a result, the function XmlEntityValueTok() attempts to call through a NULL pointer, causing a segmentation fault (crash).
The issue arises because encoding detection does not occur with empty input, leaving some internal structures uninitialized. The fix implemented in version 2.7.5 skips processing when no input is present and ensures pointers are properly initialized to prevent the NULL dereference.
How can this vulnerability impact me? :
This vulnerability can cause the libexpat parser to crash due to a NULL pointer dereference when processing specially crafted XML input containing empty external parameter entities.
Such crashes can lead to denial of service (DoS) conditions in applications that rely on libexpat for XML parsing, potentially disrupting normal operation.
Since the CVSS base score is 4.0 with an impact on availability only, the primary impact is service interruption rather than data confidentiality or integrity loss.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The vulnerability CVE-2026-32776 in libexpat is fixed in version 2.7.5, which is targeted for release in April 2026.
To mitigate this vulnerability immediately, you should upgrade your libexpat library to version 2.7.5 or later once it becomes available.
The fix prevents NULL function-pointer dereference by skipping processing of empty external parameter entities and properly initializing pointers to avoid crashes.