SB2026032435 - Multiple DoS vulnerabilities in libexpat

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) NULL pointer dereference (CVE-ID: CVE-2026-32778)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a NULL pointer dereference in the function setContext in libexpat when processing XML input under low-memory conditions. A remote attacker can send a specially crafted XML file to cause a denial of service.

Exploitation requires repeated processing of malicious input following an initial out-of-memory condition.

2) Infinite loop (CVE-ID: CVE-2026-32777)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an infinite loop in the DTD content parser when processing a specially crafted XML file. A remote attacker can send a specially crafted request to cause a denial of service.

3) NULL Pointer Dereference (CVE-ID: CVE-2026-32776)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a NULL pointer dereference in the XML parser when processing malicious XML content with empty external parameter entity content. A remote attacker can send a specially crafted XML file to cause a denial of service.

Remediation

Install update from vendor's website.

References

• https://github.com/libexpat/libexpat/pull/1159
• https://github.com/libexpat/libexpat/pull/1163
• https://github.com/libexpat/libexpat/issues/1161
• https://github.com/libexpat/libexpat/pull/1162
• https://issues.oss-fuzz.com/issues/486993411
• https://github.com/libexpat/libexpat/pull/1158