Expat 2.7.5 released, includes security fixes
7 hours ago
- #XML
- #OpenSource
- #Security
- Expat 2.7.5 released with security fixes.
- libexpat is a fast streaming XML parser, widely used and written in C99, licensed under MIT.
- Security fixes include: CVE-2026-32776 (NULL pointer dereference), CVE-2026-32777 (infinite loop), CVE-2026-32778 (NULL pointer dereference).
- First NULL pointer dereference fixed by Francesco Bertolaccini with AI tool Buttercup.
- Infinite loop issue found by Google ClusterFuzz and fixed under a 90-day deadline.
- Second NULL pointer dereference reported by Christian Ng and fixed collaboratively.
- Three known unfixed security issues remain in libexpat, listed on GitHub.
- Maintainers of Expat packaging are urged to update to version 2.7.5.