For readers new to Expat:

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, specifically C99. It is cross-platform and licensed under the MIT license.

Expat 2.7.5 was released earlier today. The key motivation for cutting a release and doing so now is three security fixes:

• CVE-2026-32776 — NULL pointer dereference (CWE-476)
• CVE-2026-32777 — infinite loop (CWE-835)
• CVE-2026-32778 — NULL pointer dereference (CWE-476)

The first NULL pointer dereference was reported and fixed by Francesco Bertolaccini of Trail of Bits with help from their AI tool Buttercup.

The infinite loop denial of service issue was uncovered by Google ClusterFuzz through continuesly fuzzing with xml_lpm_fuzzer that Mark Brand of Project Zero and I teamed up on in the past for Expat 2.7.0. Berkay Eren Ürün and I teamed up for analysis and a fix under a 90 day disclosure deadline.

The second NULL pointer dereference was reported by Christian Ng, and he and I teamed up on a fix.

So much for the fixed vulnerabilities. There are also three known unfixed security issues remaining in libexpat, and there is a GitHub issue listing known unfixed security issues in libexpat for anyone interested.

Thanks to everyone who contributed to this release of Expat!

For more details about this release, please check out the change log.

If you maintain Expat packaging, a bundled copy of Expat, or a pinned version of Expat, please update to version 2.7.5. Thank you!

Sebastian Pipping