CVE-2026-32777 libexpat project CVE debrief

Who should care

Organizations using Hitachi Energy's RTU500 series CMU Firmware with IEC 61850 functionality configured should prioritize patching this vulnerability to prevent potential Denial of Service attacks. Additionally, security teams and administrators responsible for industrial control systems should be aware of this vulnerability and take necessary precautions. CVE-2026-32777 has a medium severity, but its impact could be significant in certain industrial control system environments.

Technical summary

CVE-2026-32777 is a CWE-835 vulnerability in libexpat before version 2.7.5. The vulnerability causes an infinite loop while parsing DTD content, leading to a Denial of Service impact. The affected product is Hitachi Energy's RTU500 series CMU Firmware, but only if IEC 61850 functionality is configured. The vulnerability has a CVSS score of 5.5 and a severity of MEDIUM. The vulnerability was published on May 26, 2026, and modified on June 4, 2026.

Defensive priority

CVE-2026-32777 has a medium severity, but its impact could be significant in certain industrial control system environments. Organizations should prioritize patching this vulnerability to prevent potential Denial of Service attacks.

Recommended defensive actions

• Update to CMU Firmware version 13.8.2
• Follow general mitigation factors/workarounds
• Update to CMU Firmware version 13.7.9 (when available) or 13.8.2
• Monitor system logs for potential Denial of Service attacks
• Implement network segmentation to limit the spread of potential attacks

Evidence notes

The vulnerability is caused by an infinite loop in libexpat before version 2.7.5 while parsing DTD content. The affected product is Hitachi Energy's RTU500 series CMU Firmware. The vulnerability has a CVSS score of 5.5 and a severity of MEDIUM. The vulnerability was published on May 26, 2026, and modified on June 4, 2026.

Official resources