CVE-2026-32777
Infinite Loop Vulnerability in libexpat DTD Parsing Before
Publication date: 2026-03-16
Last updated on: 2026-03-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libexpat_project | libexpat | to 2.7.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32777 is a vulnerability in the libexpat XML parsing library before version 2.7.5. It causes an infinite loop while parsing Document Type Definition (DTD) content. Specifically, the function entityValueProcessor fails to properly advance the input pointer when encountering the XML_TOK_INSTANCE_START token, causing the parser to stall indefinitely.
This issue was discovered through fuzz testing by OSS-Fuzz/ClusterFuzz and results in a timeout due to the parser repeatedly processing the same token without progress.
The vulnerability was fixed by adding logic to reject the problematic token in entityValueProcessor, preventing the infinite loop.
How can this vulnerability impact me? :
This vulnerability can cause the libexpat XML parser to enter an infinite loop when processing certain XML inputs, leading to a denial of service (DoS) condition.
The infinite loop results in resource exhaustion, such as CPU usage spikes and application unresponsiveness, potentially impacting the availability of software that relies on libexpat for XML parsing.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability was originally detected through fuzz testing using OSS-Fuzz/ClusterFuzz, specifically with test case 486993411 that caused a timeout due to an infinite loop in the libexpat XML parser.
Detection involves reproducing the infinite loop condition in the entityValueProcessor function when parsing XML content containing the XML_TOK_INSTANCE_START token.
While no specific detection commands are provided, testing for hangs or timeouts in XML parsing using fuzzing tools or custom test cases that include problematic XML token sequences could help identify the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade libexpat to version 2.7.5 or later, where the infinite loop issue in entityValueProcessor has been fixed.
The fix involves rejecting the problematic XML_TOK_INSTANCE_START token in the parser to prevent the infinite loop and associated denial of service.
Until the fixed version is available, consider avoiding processing untrusted or malformed XML content that could trigger this infinite loop.