CVE-2026-24515 — NULL Pointer Dereference in Project Libexpat

CWE-476 — NULL Pointer Dereference13 documents8 sources

Severity

2.5LOWNVD

CNA2.9OSV7.5

EPSS

0.0%

top 99.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libexpat Project Libexpat

Timeline

PublishedJan 23

Latest updateFeb 16

Description

In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 1.0 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5libexpat_project/libexpat< 2.7.4

▶NVDlibexpat_project/libexpat< 2.7.4

🔴Vulnerability Details

OSV

expat vulnerabilities↗2026-02-16

▶

OSV

libxmltok vulnerabilities↗2026-02-11

▶

OSV

expat vulnerabilities↗2026-02-10

▶

OSV

CVE-2026-24515: In libexpat before 2↗2026-01-23

▶

GHSA

GHSA-mpwv-4wmh-cvf7: In libexpat before 2↗2026-01-23

▶

📋Vendor Advisories

Ubuntu

Expat vulnerabilities↗2026-02-16

▶

Ubuntu

xmltok library vulnerabilities↗2026-02-11

▶

Ubuntu

Expat vulnerabilities↗2026-02-10

▶

Red Hat

libexpat: libexpat null pointer dereference↗2026-01-23

▶

Debian

CVE-2026-24515: expat - In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown e...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-24515 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶