CVE-2026-24515 – This vulnerability in libexpat's XML

Q: What is the severity of CVE-2026-24515?

CVE-2026-24515 has a CVSS score of 2.9 (LOW). This vulnerability in libexpat's XML_ExternalEntityParserCreate function fails to copy unknown encoding handler user data, potentially causing crashes or undefined behavior when processing malformed XML with custom encoding handlers. It affects applications using vulnerable libexpat versions to parse XML from untrusted sources.

📋 TL;DR

This vulnerability in libexpat's XML_ExternalEntityParserCreate function fails to copy unknown encoding handler user data, potentially causing crashes or undefined behavior when processing malformed XML with custom encoding handlers. It affects applications using vulnerable libexpat versions to parse XML from untrusted sources.

💻 Affected Systems

Products:

libexpat
Any software using libexpat library

Versions: All versions before 2.7.4

Operating Systems: All operating systems using libexpat

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using XML_ExternalEntityParserCreate with custom unknown encoding handlers. Most applications use default encoding handlers.

📦 What is this software?

Libexpat by Libexpat Project

View all CVEs affecting Libexpat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Application crash leading to denial of service, or potential memory corruption that could be leveraged for further exploitation in specific configurations.

🟠

Likely Case

Application instability or crashes when processing specially crafted XML files with custom encoding handlers.

🟢

If Mitigated

Minimal impact if applications don't use custom encoding handlers or don't parse untrusted XML.

🌐 Internet-Facing: LOW - Requires specific XML parsing configurations and custom encoding handlers to be exploitable.

🏢 Internal Only: LOW - Same constraints apply; requires malformed XML input and specific libexpat usage patterns.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ⚠️ Yes

Complexity: HIGH

Exploitation requires specific application configuration with custom encoding handlers and malformed XML input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.4

Vendor Advisory: https://github.com/libexpat/libexpat/pull/1131

Restart Required: Yes

Instructions:

1. Update libexpat to version 2.7.4 or later. 2. Recompile applications using libexpat if statically linked. 3. Restart affected services.

🔧 Temporary Workarounds

Disable external entity parsing

all

Configure applications to disable XML external entity processing if not required

Set XML_PARSE_NOENT flag to 0 in expat parser initialization

🧯 If You Can't Patch

Implement input validation to reject malformed XML before parsing
Use network controls to limit XML input to trusted sources only

🔍 How to Verify

Check if Vulnerable:

Check libexpat version: expat --version or ldd on binary to check linked library version

Check Version:

expat --version 2>&1 | head -1

Verify Fix Applied:

Verify libexpat version is 2.7.4 or higher and applications have been restarted

📡 Detection & Monitoring

Log Indicators:

Application crashes during XML parsing
Segmentation faults in XML processing components

Network Indicators:

Unusual XML file uploads to applications
XML parsing errors in application logs

SIEM Query:

source="application.log" AND ("segmentation fault" OR "XML parse error") AND process="*expat*"

📊 Metadata

CVE ID: CVE-2026-24515

CVSS v3 Score: 2.9 (LOW)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-476

EPSS Score: 0.01% exploit probability (0.2th percentile)

Published: January 23, 2026

Last Updated: February 5, 2026

🔗 References

https://github.com/libexpat/libexpat/pull/1131 Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24515, you might also want to check these: