Description
libexpat before 2.7.5 allows an infinite loop while parsing DTD content.
Published: 2026-03-16
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply patch
AI Analysis

Impact

This vulnerability is caused by an infinite loop that can be triggered when the libexpat library parses DTD content. The resulting denial of service can exhaust CPU resources and potentially cause the application that uses libexpat to become unresponsive, impacting availability. The weakness is identified as CWE‑835: Infinite Loop.

Affected Systems

The affected product is libexpat for the libexpat project. No specific affected versions are listed in the provided data, so all releases prior to the fix are potentially susceptible.

Risk and Exploitability

The CVSS score is 4, indicating moderate severity, and the EPSS score is below 1%, suggesting a low likelihood of exploitation. This vulnerability is not listed in the CISA KEV catalog. No attack vector is explicitly documented; based on the description, it is inferred that an attacker could cause the denial of service by supplying malicious XML with a DTD that triggers the infinite loop.

Generated by OpenCVE AI on March 17, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libexpat to version 2.7.5 or newer.

Generated by OpenCVE AI on March 17, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Libexpat Project
Libexpat Project libexpat
Vendors & Products Libexpat Project
Libexpat Project libexpat

Tue, 17 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Title libexpat: libexpat: Denial of Service via infinite loop in DTD content parsing
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 07:30:00 +0000

Type Values Removed Values Added
Description libexpat before 2.7.5 allows an infinite loop while parsing DTD content.
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Libexpat Project Libexpat
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-16T14:55:27.958Z

Reserved: 2026-03-16T06:58:06.217Z

Link: CVE-2026-32777

cve-icon Vulnrichment

Updated: 2026-03-16T14:55:24.614Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:44.780

Modified: 2026-03-17T15:52:34.357

Link: CVE-2026-32777

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-16T06:58:06Z

Links: CVE-2026-32777 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:45:39Z

Weaknesses