SUSE-SU-2026:1166-1

Details

This update for expat fixes the following issues:

CVE-2026-32776: NULL pointer dereference when processing empty external parameter entities inside an entity declaration value (bsc#1259726).
CVE-2026-32777: denial of service due to infinite loop in DTD content parsing (bsc#1259711).
CVE-2026-32778: NULL pointer dereference in setContext on retry after an out-of-memory condition (bsc#1259729).

Affected Packages

expat

SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOSSUSE Linux Enterprise High Performance Computing 15 SP4-LTSSSUSE Linux Enterprise High Performance Computing 15 SP5-ESPOSSUSE Linux Enterprise High Performance Computing 15 SP5-LTSSSUSE Linux Enterprise Micro 5.3

Fixed in:

2.7.1-150400.3.37.1

libexpat-devel

SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOSSUSE Linux Enterprise High Performance Computing 15 SP4-LTSSSUSE Linux Enterprise High Performance Computing 15 SP5-ESPOSSUSE Linux Enterprise High Performance Computing 15 SP5-LTSSSUSE Linux Enterprise Server 15 SP4-LTSS

Fixed in:

2.7.1-150400.3.37.1

libexpat1

SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOSSUSE Linux Enterprise High Performance Computing 15 SP4-LTSSSUSE Linux Enterprise High Performance Computing 15 SP5-ESPOSSUSE Linux Enterprise High Performance Computing 15 SP5-LTSSSUSE Linux Enterprise Micro 5.3

Fixed in:

2.7.1-150400.3.37.1

libexpat1-32bit

SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOSSUSE Linux Enterprise High Performance Computing 15 SP4-LTSSSUSE Linux Enterprise High Performance Computing 15 SP5-ESPOSSUSE Linux Enterprise High Performance Computing 15 SP5-LTSSSUSE Linux Enterprise Server 15 SP4-LTSS

Fixed in:

2.7.1-150400.3.37.1

libexpat-devel-32bit

openSUSE Leap 15.6

Fixed in:

2.7.1-150400.3.37.1

References

REPORT

https://bugzilla.suse.com/1259711

REPORT

https://bugzilla.suse.com/1259726

REPORT