On 21 March 2026 the OpenBSD project shipped errata 024 for the 7.8 release. It’s a short patch, tagged as a reliability fix for all architectures, and it closes three denial-of-service bugs in libexpat, the library the base system uses to parse XML. The identifiers are CVE-2026-32776, CVE-2026-32777 and CVE-2026-32778.
What breaks
libexpat (expat) is the XML parser baked into a huge chunk of software: browsers, web servers, command-line tools and any library that reads configuration files or feeds. The three bugs all end the same way, with the parsing process going down, but they get there through different paths.
- CVE-2026-32776: a NULL pointer dereference triggered by empty external parameter entity content. While handling that case the code touches a pointer that was never initialised.
- CVE-2026-32777: an infinite loop while walking DTD content. Google’s ClusterFuzz found it. The process doesn’t crash outright; it hangs and burns CPU.
- CVE-2026-32778: another NULL dereference, this time in the
setContextfunction, fired on retry after an earlier out-of-memory condition.
None of the three allows code execution or reading other people’s data. The impact is limited to availability: with a purpose-built XML document, an attacker can make any application that trusts expat crash or lock up. All three score CVSS 5.5, a local vector with high availability impact (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Who’s affected
Anyone running OpenBSD 7.8 with components that lean on libexpat to handle XML from untrusted sources. The real risk depends on your exposure: if one of your applications parses XML it receives from outside (user uploads, remote feeds, messages), a malicious document is enough to take that service down. On setups that only process their own XML the danger is much smaller, though patching is still worth it.
This isn’t specific to OpenBSD. expat is nearly everywhere, and the same CVEs have produced advisories from Debian, SUSE, Amazon Linux and IBM, among others. The upstream fix landed in expat 2.7.5; each distribution has been folding it in at its own pace.
How to protect yourself
On OpenBSD 7.8, apply errata 024 the usual way:
# syspatchIf you manage patches by hand, grab the binary or source for the errata from the official page and follow the build steps that come with each entry. After installing, restart the services that have the library loaded so they pick up the fixed version.
If you run a mixed fleet, check the rest of your machines too: any package linking against expat below 2.7.5 carries the same three bugs. Look at your distribution’s security tracker and update the expat/libexpat package wherever it lives.
OpenBSD keeps its full patch history on the 7.8 errata page, handy for confirming what you’ve already applied.