DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24515: libexpat's Pointer Amnesia: A Tale of Missing User Data (CVE-2026-24515)

#security #cve #cybersecurity

libexpat's Pointer Amnesia: A Tale of Missing User Data (CVE-2026-24515)

Vulnerability ID: CVE-2026-24515
CVSS Score: 2.9
Published: 2026-01-23

A deep dive into a logic flaw within libexpat's external entity parsing mechanism. Specifically, the library fails to inherit user-context data when creating child parsers for unknown encodings, leading to NULL pointer dereferences in applications that rely on custom encoding handlers. While the CVSS score is low due to high complexity, the bug reveals a fundamental oversight in state management within one of the world's most ubiquitous C libraries.

TL;DR

libexpat versions < 2.7.4 forget to copy the userData pointer when creating a subparser for external entities with unknown encodings. If an application uses a custom encoding handler and accesses that data, it crashes (NULL dereference).

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-476 (NULL Pointer Dereference)
  • Attack Vector: Local / Context-dependent (Requires specific app config)
  • CVSS v3.1: 2.9 (Low)
  • Impact: Denial of Service (Application Crash)
  • EPSS Score: 0.00013 (Low probability of wild exploitation)
  • Likelihood: Low (Requires custom handler + external entities)

Affected Systems

  • libexpat < 2.7.4
  • Systems processing untrusted XML with external entities enabled
  • Applications using XML_SetUnknownEncodingHandler
  • libexpat: < 2.7.4 (Fixed in: 2.7.4)

Code Analysis

Commit: b5665b1

Ensure that the user data pointer for unknown encoding handlers is copied to the external entity parser.

parser->m_unknownEncodingHandler = oldParser->m_unknownEncodingHandler;
+ parser->m_unknownEncodingHandlerData = oldParser->m_unknownEncodingHandlerData;
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • libexpat PR #1131: Unit test (test_unknown_encoding_user_data_secondary) demonstrating the crash.

Mitigation Strategies

  • Update libexpat to version 2.7.4 or newer.
  • Implement defensive NULL checks in custom encoding handlers.
  • Disable external entity parsing (Dtd parsing) if not required by the application.

Remediation Steps:

  1. Identify all instances of libexpat in your dependency tree (including transitive dependencies).
  2. For Linux systems, run yum update expat or apt-get install libexpat1 to fetch the latest distro patches.
  3. For bundled libraries (common in Node.js, Python, etc.), rebuild the application against the patched source.

References

Read the full report for CVE-2026-24515 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)