CVE-2026-32777
Awaiting Analysis Awaiting Analysis - Queue
Infinite Loop Vulnerability in libexpat DTD Parsing Before

Publication date: 2026-03-16

Last updated on: 2026-03-17

Assigner: MITRE

Description
libexpat before 2.7.5 allows an infinite loop while parsing DTD content.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32777
EUVD
EUVD-2026-12349
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libexpat_project libexpat to 2.7.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32777 is a vulnerability in the libexpat XML parsing library before version 2.7.5. It causes an infinite loop while parsing Document Type Definition (DTD) content. Specifically, the function entityValueProcessor fails to properly advance the input pointer when encountering the XML_TOK_INSTANCE_START token, causing the parser to stall indefinitely.

This issue was discovered through fuzz testing by OSS-Fuzz/ClusterFuzz and results in a timeout due to the parser repeatedly processing the same token without progress.

The vulnerability was fixed by adding logic to reject the problematic token in entityValueProcessor, preventing the infinite loop.

Impact Analysis

This vulnerability can cause the libexpat XML parser to enter an infinite loop when processing certain XML inputs, leading to a denial of service (DoS) condition.

The infinite loop results in resource exhaustion, such as CPU usage spikes and application unresponsiveness, potentially impacting the availability of software that relies on libexpat for XML parsing.

Compliance Impact

I don't know

Detection Guidance

This vulnerability was originally detected through fuzz testing using OSS-Fuzz/ClusterFuzz, specifically with test case 486993411 that caused a timeout due to an infinite loop in the libexpat XML parser.

Detection involves reproducing the infinite loop condition in the entityValueProcessor function when parsing XML content containing the XML_TOK_INSTANCE_START token.

While no specific detection commands are provided, testing for hangs or timeouts in XML parsing using fuzzing tools or custom test cases that include problematic XML token sequences could help identify the vulnerability.

Mitigation Strategies

The primary mitigation is to upgrade libexpat to version 2.7.5 or later, where the infinite loop issue in entityValueProcessor has been fixed.

The fix involves rejecting the problematic XML_TOK_INSTANCE_START token in the parser to prevent the infinite loop and associated denial of service.

Until the fixed version is available, consider avoiding processing untrusted or malformed XML content that could trigger this infinite loop.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32777. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart