CVE-2026-32778
Awaiting Analysis Awaiting Analysis - Queue

NULL Pointer Dereference in libexpat 2.7.5 Causes Crash

Vulnerability report for CVE-2026-32778, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-16

Last updated on: 2026-03-17

Assigner: MITRE

Description

libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-16
Last Modified
2026-03-17
Generated
2026-07-06
AI Q&A
2026-03-16
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
libexpat_project libexpat to 2.7.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32778 is a vulnerability in the libexpat XML parser library, specifically in the setContext() function. It occurs when the parser retries an operation after an earlier out-of-memory (OOM) condition. During this retry, a PREFIX entry with a NULL name can be created in the hash table due to a failure in copying the prefix name. This results in a 'zombie' entry that causes a NULL pointer dereference when accessed, leading to a potential denial-of-service (DoS) condition."}, {'type': 'paragraph', 'content': 'The root cause is that the lookup() function creates a PREFIX entry before the prefix name is successfully copied. If the copy fails, the PREFIX entry remains with a NULL name. When the parser retries, it attempts to compare keys on this invalid entry, causing the crash.'}, {'type': 'paragraph', 'content': 'The fix changes the order of operations so that the prefix name is copied first before inserting the PREFIX entry, preventing the creation of invalid entries and eliminating the NULL dereference.'}] [1]

Impact Analysis

This vulnerability can lead to a denial-of-service (DoS) condition in applications using the libexpat XML parser. Specifically, if the parser encounters an out-of-memory condition and then retries, it may crash due to a NULL pointer dereference. This crash can cause the application or service relying on libexpat to become unavailable or unstable.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should update the libexpat library to version 2.7.5 or later, where the issue has been fixed.

The fix involves a patch that changes the order of operations in the setContext() function to prevent NULL pointer dereference by ensuring that prefix names are copied before being inserted into the hash table.

Applying this update will prevent denial-of-service conditions caused by this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32778. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart