CVE-2026-32778
NULL Pointer Dereference in libexpat 2.7.5 Causes Crash
Publication date: 2026-03-16
Last updated on: 2026-03-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libexpat_project | libexpat | to 2.7.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-32778 is a vulnerability in the libexpat XML parser library, specifically in the setContext() function. It occurs when the parser retries an operation after an earlier out-of-memory (OOM) condition. During this retry, a PREFIX entry with a NULL name can be created in the hash table due to a failure in copying the prefix name. This results in a 'zombie' entry that causes a NULL pointer dereference when accessed, leading to a potential denial-of-service (DoS) condition."}, {'type': 'paragraph', 'content': 'The root cause is that the lookup() function creates a PREFIX entry before the prefix name is successfully copied. If the copy fails, the PREFIX entry remains with a NULL name. When the parser retries, it attempts to compare keys on this invalid entry, causing the crash.'}, {'type': 'paragraph', 'content': 'The fix changes the order of operations so that the prefix name is copied first before inserting the PREFIX entry, preventing the creation of invalid entries and eliminating the NULL dereference.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to a denial-of-service (DoS) condition in applications using the libexpat XML parser. Specifically, if the parser encounters an out-of-memory condition and then retries, it may crash due to a NULL pointer dereference. This crash can cause the application or service relying on libexpat to become unavailable or unstable.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the libexpat library to version 2.7.5 or later, where the issue has been fixed.
The fix involves a patch that changes the order of operations in the setContext() function to prevent NULL pointer dereference by ensuring that prefix names are copied before being inserted into the hash table.
Applying this update will prevent denial-of-service conditions caused by this vulnerability.