SecurityPublished on February 9, 2026· 2 min read

OpenBSD patches two denial-of-service flaws in libexpat (CVE-2026-24515 and CVE-2026-25210)

On 9 February 2026 the OpenBSD project shipped a security patch as errata 014 for OpenBSD 7.8, with a matching errata for 7.7. It fixes two denial-of-service vulnerabilities in libexpat, the XML parsing library also known as Expat. Both flaws were first addressed in libexpat 2.7.4, which project maintainer Sebastian Pipping released on 31 January 2026.

What the vulnerabilities are

This patch covers two flaws:

CVE-2026-24515: a NULL pointer dereference (CWE-476). The bug sits in the XML_ExternalEntityParserCreate function, which fails to copy the user data tied to the unknown-encoding handler. When a parent parser has an unknown-encoding handler registered with user data, the function creates a new parser to process external entities but never carries the user-data pointer over to the child parser. Once the handler runs with a NULL or uninitialized pointer, the application can crash.
CVE-2026-25210: an integer overflow (CWE-190) in libexpat that can also end in a denial-of-service condition.

Who is affected

This hits any program that uses libexpat to parse XML in versions prior to 2.7.4. Expat is one of the most widely deployed XML parsing libraries in free software, embedded across many languages, browsers and utilities. In this advisory, OpenBSD ships libexpat as part of the base system, so the errata fixes the component for every program that depends on it on OpenBSD 7.7 and 7.8.

Severity

Severity is low to medium. The primary CVE, CVE-2026-24515, was assigned a very low CVSS v3.1 score (around 2.5-2.9, rated low by both NIST and MITRE), since it needs a local access vector, high attack complexity, and no privileges or user interaction in any trivial way. The impact stops at availability: the affected process terminates out of the blue when it processes crafted XML input. There is no code execution or data leakage tied to it, and nobody has seen it exploited in the wild. Still, if you run services that parse XML from untrusted sources, an availability failure matters.

Mitigation and patch

The recommendation is straightforward: upgrade libexpat to version 2.7.4 or later. On OpenBSD you only need to apply the errata with the patch-update tool:

syspatch

The errata patches are available for the usual OpenBSD architectures. After applying them, restart any services linked against libexpat so they load the corrected library. On other distributions, install the updated expat/libexpat package that ships version 2.7.4.

If you want to see how OpenBSD hardens its base system against this class of bugs, take a look at the OpenBSD entry in our operating-system directory.

Source

Official advisory: OpenBSD 7.8 Errata
CVE detail: CVE-2026-24515 on NVD
Related CVE: CVE-2026-25210 on NVD