Libexpat Project Libexpat vulnerabilities

CVE-2026-32776 [MEDIUM] CWE-476 CVE-2026-32776: libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.

CVE-2026-32778 [LOW] CWE-476 CVE-2026-32778: libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.

CVE-2026-32777 [MEDIUM] CWE-835 CVE-2026-32777: libexpat before 2.7.5 allows an infinite loop while parsing DTD content. libexpat before 2.7.5 allows an infinite loop while parsing DTD content.

CVE-2026-25210 [MEDIUM] CWE-190 CVE-2026-25210: In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.

CVE-2026-24515 [LOW] CWE-476 CVE-2026-24515: In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.

CVE-2025-66382 [LOW] CWE-407 CVE-2025-66382: In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of se In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

CVE-2025-59375 [HIGH] CWE-770 CVE-2025-59375: libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a sm libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.

CVE-2024-50602 [MEDIUM] CWE-754 CVE-2024-50602: An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser funct An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.

CVE-2024-45492 [CRITICAL] CWE-190 CVE-2024-45492: An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

CVE-2024-45491 [CRITICAL] CWE-190 CVE-2024-45491: An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

CVE-2024-45490 [HIGH] CWE-611 CVE-2024-45490: An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for X An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.

CVE-2024-28757 [HIGH] CWE-776 CVE-2024-28757: libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).

CVE-2023-52425 [HIGH] CWE-400 CVE-2023-52425: libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsing libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.

CVE-2023-52426 [MEDIUM] CWE-776 CVE-2023-52426: libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.

CVE-2022-43680 [HIGH] CWE-416 CVE-2022-43680: In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.

CVE-2022-40674 [HIGH] CWE-416 CVE-2022-40674: libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.

CVE-2022-25315 [CRITICAL] CWE-190 CVE-2022-25315: In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.

CVE-2022-25314 [HIGH] CWE-190 CVE-2022-25314: In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString. In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.

CVE-2022-25313 [MEDIUM] CWE-674 CVE-2022-25313: In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.

CVE-2022-25235 [CRITICAL] CWE-116 CVE-2022-25235: xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as che xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.