NULL Pointer Dereference Vulnerability in Expat Library by Expat Project
CVE-2026-32778

2.9LOW

Key Information:

Vendor: Libexpat Project
Status: Libexpat
Vendor: CVE Published:; 16 March 2026

🔔 Create Libexpat Project Vulnerability Alert

What is CVE-2026-32778?

A vulnerability has been identified in the Expat Library prior to version 2.7.5 that allows a NULL pointer dereference. This issue occurs within the setContext function when the library attempts to retry operations following an out-of-memory condition. Exploiting this vulnerability may lead to application crashes or other unintended behaviors, highlighting the importance of upgrading to the latest version to mitigate potential risks.

Affected Version(s)

libexpat 0 < 2.7.5

References

https://github.com/libexpat/libexpat/pull/1159

https://github.com/libexpat/libexpat/pull/1163

CVSS V3.1

Score:

2.9

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 16, 2026
Vulnerability Reserved
Mar 16, 2026

CVE-2026-32778 Data

JSON