CVE-2026-32778

Publication date 16 March 2026

Last updated 18 March 2026

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

2.9 · Low

Score breakdown

Description

libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.

Read the notes from the security team

Status

Package Ubuntu Release Status
expat 26.04 LTS resolute
Needs evaluation
25.10 questing
Needs evaluation
24.04 LTS noble
Needs evaluation
22.04 LTS jammy
Needs evaluation
20.04 LTS focal
Needs evaluation
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation
14.04 LTS trusty
Needs evaluation
apache2 26.04 LTS resolute
Not affected
25.10 questing
Not affected
24.04 LTS noble
Not affected
22.04 LTS jammy
Not affected
20.04 LTS focal
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
14.04 LTS trusty
Not affected
apr-util 26.04 LTS resolute
Not affected
25.10 questing
Not affected
24.04 LTS noble
Not affected
22.04 LTS jammy
Not affected
20.04 LTS focal
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
14.04 LTS trusty
Not affected
cmake 26.04 LTS resolute
Not affected
25.10 questing
Not affected
24.04 LTS noble
Not affected
22.04 LTS jammy
Not affected
20.04 LTS focal
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
ghostscript 26.04 LTS resolute
Not affected
25.10 questing
Not affected
24.04 LTS noble
Not affected
22.04 LTS jammy
Not affected
20.04 LTS focal
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
texlive-bin 26.04 LTS resolute
Not affected
25.10 questing
Not affected
24.04 LTS noble
Not affected
22.04 LTS jammy
Not affected
20.04 LTS focal
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
xmlrpc-c 26.04 LTS resolute
Needs evaluation
25.10 questing
Needs evaluation
24.04 LTS noble
Needs evaluation
22.04 LTS jammy
Needs evaluation
20.04 LTS focal
Needs evaluation
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation
14.04 LTS trusty
Needs evaluation
vnc4 26.04 LTS resolute Not in release
25.10 questing Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation
14.04 LTS trusty
Needs evaluation
wbxml2 26.04 LTS resolute
Needs evaluation
25.10 questing
Needs evaluation
24.04 LTS noble
Needs evaluation
22.04 LTS jammy
Needs evaluation
20.04 LTS focal
Needs evaluation
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation
swish-e 26.04 LTS resolute
Needs evaluation
25.10 questing
Needs evaluation
24.04 LTS noble
Needs evaluation
22.04 LTS jammy
Needs evaluation
20.04 LTS focal
Needs evaluation
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation
insighttoolkit4 26.04 LTS resolute Not in release
25.10 questing Not in release
24.04 LTS noble Not in release
22.04 LTS jammy
Needs evaluation
20.04 LTS focal
Needs evaluation
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation
cadaver 26.04 LTS resolute
Needs evaluation
25.10 questing
Needs evaluation
24.04 LTS noble
Needs evaluation
22.04 LTS jammy
Needs evaluation
20.04 LTS focal
Needs evaluation
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation
gdcm 26.04 LTS resolute
Not affected
25.10 questing
Not affected
24.04 LTS noble
Not affected
22.04 LTS jammy
Not affected
20.04 LTS focal
Not affected
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation
14.04 LTS trusty
Not affected
ayttm 26.04 LTS resolute Not in release
25.10 questing Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
16.04 LTS xenial
Needs evaluation
cableswig 26.04 LTS resolute Not in release
25.10 questing Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
16.04 LTS xenial
Needs evaluation
coin3 26.04 LTS resolute
Not affected
25.10 questing
Not affected
24.04 LTS noble
Not affected
22.04 LTS jammy
Not affected
20.04 LTS focal
Not affected
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation
14.04 LTS trusty
Needs evaluation
matanza 26.04 LTS resolute Ignored
25.10 questing Ignored
24.04 LTS noble Ignored
22.04 LTS jammy Ignored
20.04 LTS focal Ignored
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation
tdom 26.04 LTS resolute
Needs evaluation
25.10 questing
Needs evaluation
24.04 LTS noble
Needs evaluation
22.04 LTS jammy
Needs evaluation
20.04 LTS focal
Needs evaluation
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation
vtk 26.04 LTS resolute Not in release
25.10 questing Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
16.04 LTS xenial
Needs evaluation
14.04 LTS trusty
Needs evaluation
smart 26.04 LTS resolute Not in release
25.10 questing Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation
firefox 26.04 LTS resolute
Not affected
25.10 questing
Not affected
24.04 LTS noble
Not affected
22.04 LTS jammy
Not affected
thunderbird 26.04 LTS resolute
Not affected
25.10 questing
Not affected
24.04 LTS noble
Not affected
22.04 LTS jammy
Not affected
libxmltok 26.04 LTS resolute Not in release
25.10 questing Not in release
24.04 LTS noble
Needs evaluation
22.04 LTS jammy
Needs evaluation
20.04 LTS focal
Needs evaluation
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation

Notes

sbeattie

paraview uses system expat xotcl uses system expat poco uses system expat gdcm uses system expat audacity uses system expat simgear uses system expat coin3 uses system expat as of 4.0.0~CMake~6f54f1602475+ds1-1 sitecopy uses system expat since 1:0.16.0-1 (dapper!) insighttoolkit uses system expat as of 4.12.1-dfsg1

mdeslaur

apache2 uses system expat apr-util uses system expat cmake uses system expat ghostscript uses system expat firefox uses system expat thunderbird uses system expat matanza embeds an expat fork to parse its own config file, there is no attack vector there, we will not be fixing matanza.

Severity score breakdown

Parameter Value
Base score 2.9 · Low
Attack vector Local
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact Low
Vector CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

References

Other references

Access our resources on patching vulnerabilities