Skip to content

update: expat #2052

Open
flatcar/scripts
#3852
Open
update: expat#2052
flatcar/scripts
#3852
Labels
advisorysecurity advisorycvss/MEDIUM>= 4 && < 7 assessed CVSSsecuritysecurity concerns
@dongsupark

Description

@dongsupark
dongsupark
opened on Mar 24, 2026

Name: expat
CVEs: CVE-2026-32776, CVE-2026-32777, CVE-2026-32778
CVSSs: 4.0, 4.0, 2.9
Action Needed: update to >= 2.7.5

Summary:

  • CVE-2026-32776: libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.
  • CVE-2026-32777: libexpat before 2.7.5 allows an infinite loop while parsing DTD content.
  • CVE-2026-32778: libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.

refmap.gentoo: https://bugs.gentoo.org/971298

Metadata

Metadata

Assignees

No one assigned

    Labels

    advisorysecurity advisorycvss/MEDIUM>= 4 && < 7 assessed CVSSsecuritysecurity concerns

    Type

    No type

    Projects

    Flatcar tactical, release planning, and roadmap

    Status

    🪵Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions