libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
CVSS
2.9
LOW
Published
Apr 16, 2026
Loading
Vendor coverage
Track published CVEs, severity trends, and remediation context for libexpat_project products.
Search results
Showing 1-47 of 47 vulnerabilities.
libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
CVSS
2.9
LOW
Published
Apr 16, 2026
libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.
CVSS
2.9
LOW
Published
Mar 16, 2026
libexpat before 2.7.5 allows an infinite loop while parsing DTD content.
CVSS
4.0
MEDIUM
Published
Mar 16, 2026
libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.
CVSS
4.0
MEDIUM
Published
Mar 16, 2026
In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.
CVSS
6.9
MEDIUM
Published
Jan 30, 2026
In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.
CVSS
2.9
LOW
Published
Jan 23, 2026
In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.
CVSS
2.9
LOW
Published
Nov 28, 2025
libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.
CVSS
7.5
HIGH
Published
Sep 15, 2025
An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.
CVSS
5.9
MEDIUM
Published
Oct 27, 2024
An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
CVSS
9.8
CRITICAL
Published
Aug 30, 2024
An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
CVSS
9.8
CRITICAL
Published
Aug 30, 2024
An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.
CVSS
7.5
HIGH
Published
Aug 30, 2024
libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).
CVSS
7.5
HIGH
Published
Mar 10, 2024
libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.
CVSS
5.5
MEDIUM
Published
Feb 4, 2024
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.
CVSS
7.5
HIGH
Published
Feb 4, 2024
In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.
CVSS
7.5
HIGH
Published
Oct 24, 2022
libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.
CVSS
8.1
HIGH
Published
Sep 14, 2022
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.
CVSS
9.8
CRITICAL
Published
Feb 18, 2022
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.
CVSS
7.5
HIGH
Published
Feb 18, 2022
In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.
CVSS
6.5
MEDIUM
Published
Feb 18, 2022
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.
CVSS
9.8
CRITICAL
Published
Feb 16, 2022
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
CVSS
9.8
CRITICAL
Published
Feb 16, 2022
Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.
CVSS
7.5
HIGH
Published
Jan 26, 2022
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
CVSS
9.8
CRITICAL
Published
Jan 24, 2022
storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS
8.8
HIGH
Published
Jan 10, 2022
nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS
8.8
HIGH
Published
Jan 10, 2022
lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS
8.8
HIGH
Published
Jan 10, 2022
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS
9.8
CRITICAL
Published
Jan 10, 2022
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS
9.8
CRITICAL
Published
Jan 10, 2022
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVSS
9.8
CRITICAL
Published
Jan 10, 2022
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.
CVSS
8.1
HIGH
Published
Jan 6, 2022
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
CVSS
8.8
HIGH
Published
Jan 1, 2022
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
CVSS
7.5
HIGH
Published
Sep 4, 2019
In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).
CVSS
7.5
HIGH
Published
Jun 24, 2019
The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat in Expat 2.2.1 and 2.2.2 on Windows allows local users to gain privileges via a Trojan horse ADVAPI32.DLL in the current working directory because of an untrusted search path, aka DLL hijacking.
CVSS
7.8
HIGH
Published
Jul 30, 2017
XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.
CVSS
7.5
HIGH
Published
Jul 25, 2017
The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.
CVSS
8.1
HIGH
Published
Jun 30, 2016
The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.
CVSS
7.5
HIGH
Published
Jun 16, 2016
Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function.
CVSS
5.9
MEDIUM
Published
Jun 16, 2016
Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.
CVSS
9.8
CRITICAL
Published
May 26, 2016
Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.
CVSS
6.8
UNKNOWN
Published
Jul 23, 2015
expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.
CVSS
6.8
UNKNOWN
Published
Jan 21, 2014
Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (memory consumption) via a large number of crafted XML files that cause improperly-handled reallocation failures when expanding entities.
CVSS
5.0
UNKNOWN
Published
Jul 3, 2012
readfilemap.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (file descriptor consumption) via a large number of crafted XML files.
CVSS
4.3
UNKNOWN
Published
Jul 3, 2012
The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.
CVSS
4.3
UNKNOWN
Published
Jul 3, 2012
The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.
CVSS
5.0
UNKNOWN
Published
Dec 4, 2009
The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.
CVSS
5.0
UNKNOWN
Published
Nov 3, 2009