%20--%3e%3csvg%20version='1.1'%20id='Layer_1'%20x='0px'%20y='0px'%20viewBox='0%200%20107.30001%20140.79999'%20xml:space='preserve'%20sodipodi:docname='mind_logo_positief.svg'%20width='107.30001'%20height='140.79999'%20xmlns:inkscape='http://www.inkscape.org/namespaces/inkscape'%20xmlns:sodipodi='http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd'%20xmlns='http://www.w3.org/2000/svg'%20xmlns:svg='http://www.w3.org/2000/svg'%3e%3cdefs%20id='defs29'%20/%3e%3csodipodi:namedview%20id='namedview29'%20pagecolor='%23505050'%20bordercolor='%23eeeeee'%20borderopacity='1'%20inkscape:showpageshadow='0'%20inkscape:pageopacity='0'%20inkscape:pagecheckerboard='0'%20inkscape:deskcolor='%23d1d1d1'%3e%3cinkscape:page%20x='0'%20y='0'%20width='107.30001'%20height='140.79999'%20id='page2'%20margin='0'%20bleed='0'%20/%3e%3c/sodipodi:namedview%3e%3cstyle%20type='text/css'%20id='style1'%3e%20.st0{fill:%231F1FA3;}%20.st1{fill:url(%23SVGID_1_);}%20.st2{fill:url(%23SVGID_00000033333245342322421190000001486717665348835473_);}%20.st3{fill:url(%23SVGID_00000075852413222229328580000001131059578544388517_);}%20%3c/style%3e%3cg%20id='g9'%20transform='translate(-21.299999,-20.6)'%3e%3clinearGradient%20id='SVGID_1_'%20gradientUnits='userSpaceOnUse'%20x1='4.8695998'%20y1='142.78'%20x2='99.248901'%20y2='35.348301'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop4'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop5'%20/%3e%3c/linearGradient%3e%3crect%20x='21.299999'%20y='64'%20class='st1'%20width='19.9'%20height='97.400002'%20id='rect5'%20style='fill:url(%23SVGID_1_)'%20/%3e%3clinearGradient%20id='SVGID_00000007421653842672228110000012418760815982452352_'%20gradientUnits='userSpaceOnUse'%20x1='23.7796'%20y1='159.3925'%20x2='118.1588'%20y2='51.9608'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop6'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop7'%20/%3e%3c/linearGradient%3e%3cpath%20style='fill:url(%23SVGID_00000007421653842672228110000012418760815982452352_)'%20d='M%2072.3,64%20H%2064%20v%2075.2%20H%2085.1%20V%2076.8%20C%2085.1,69.7%2079.4,64%2072.3,64%20Z'%20id='path7'%20/%3e%3clinearGradient%20id='SVGID_00000072986549029232277750000008760038133176911550_'%20gradientUnits='userSpaceOnUse'%20x1='20.501699'%20y1='156.51289'%20x2='114.881'%20y2='49.0812'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop8'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop9'%20/%3e%3c/linearGradient%3e%3cpath%20style='fill:url(%23SVGID_00000072986549029232277750000008760038133176911550_)'%20d='M%2073.6,20.6%20H%2064%20v%2019.9%20h%209.6%20c%2019.3,0%2035.1,15.7%2035.1,35.1%20v%2044.3%20h%2019.9%20V%2075.6%20c%200,-30.3%20-24.7,-55%20-55,-55%20z'%20id='path9'%20/%3e%3c/g%3e%3c/svg%3e)
Name
expat
Version
2.6.4
Type
library
Description
A stream-oriented XML parser library
Licenses
MIT
PURL
-
CPE
cpe:2.3:*:libexpat_project:libexpat:2.6.4:*:*:*:*:*:*:*
Other Versions#
Patches#
#
Title
Author
Resolve
1
lib: Make function copyString use macro MALLOC
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
2
Changes: Document allocation tracking
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
3
lib: Exclude the content model from allocation tracking
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
4
Fix NULL function-pointer dereference for empty external
Francesco Bertolaccini <francesco.bertolaccini@trailofbits.com>
CVE-2026-32776
5
copy prefix name to pool before lookup
laserbear <10689391+Laserbear@users.noreply.github.com>
CVE-2026-32778
6
Changes: Document pull request #1047
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
7
tests: Cover indirect entity recursion
Sebastian Pipping <sebastian@pipping.org>
8
lib: Document and regression-proof absence of integer
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
9
tests: Add line/column checks to async entity tests
=?UTF-8?q?Berkay=20Eren=20=C3=9Cr=C3=BCn?= <berkay.ueruen@tum.de>
CVE-2024-8176
10
lib: Introduce an integer overflow check for tag buffer
Matthew Fernandez <matthew.fernandez@gmail.com>
CVE-2026-25210
11
lib: Make function dtdCreate use macro MALLOC
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
12
lib: Exclude XML_Mem* functions from allocation tracking
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
13
lib: Fix detection of asynchronous tags in entities
=?UTF-8?q?Berkay=20Eren=20=C3=9Cr=C3=BCn?= <berkay.ueruen@tum.de>
CVE-2024-8176
14
xmlwf: Mention supported environment variables in --help
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
15
lib: Drop casts around malloc/realloc returns that C99 does
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
16
test that we do not end up with a zombie PREFIX in the
laserbear <10689391+Laserbear@users.noreply.github.com>
CVE-2026-32778
17
Stop updating event pointer on exit for reentry (fixes #980)
Peter Marko <peter.marko@siemens.com>
CVE-2024-8176
18
tests: Fix test guard for test related to allocation tracking
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
19
tests: Cover effect of XML_SetUnknownEncodingHandler user
Sebastian Pipping <sebastian@pipping.org>
CVE-2026-24515
20
tests: Cover allocation tracking and limiting with tests
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
21
lib: Make string pools use macros MALLOC, FREE, REALLOC
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
22
tests: Cover XML_ERROR_ASYNC_ENTITY cases
Sebastian Pipping <sebastian@pipping.org>
CVE-2024-8176
23
fuzz: Be robust towards NULL return from
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
24
misc_tests.c: Cover XML_TOK_INSTANCE_START infinite loop
Sebastian Pipping <sebastian@pipping.org>
CVE-2026-32777
25
xmlwf: Wire allocation tracker config to existing arguments
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
26
lib: Make function dtdDestroy use macro FREE
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
27
docs: Promote the contract to call XML_FreeContentModel
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
28
lib: Implement tracking of dynamic memory allocations
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
29
lib: Realign a size with the `REALLOC` type signature it is
Matthew Fernandez <matthew.fernandez@gmail.com>
CVE-2026-25210
30
lib: Exclude the main input buffer from allocation tracking
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
31
lib: Make XML_ExternalEntityParserCreate copy unknown
Sebastian Pipping <sebastian@pipping.org>
CVE-2026-24515
32
lib: Make function hash tables use macros MALLOC and FREE
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
33
tests: Add new test test_alloc_tracker_pointer_alignment
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
34
lib: Make a doubling more readable
Matthew Fernandez <matthew.fernandez@gmail.com>
CVE-2026-25210
35
lib: Reject XML_TOK_INSTANCE_START infinite loop in
Sebastian Pipping <sebastian@pipping.org>
CVE-2026-32777
36
lib: Make XML_MemFree and XML_FreeContentModel match their
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
37
lib: Make function dtdReset use macro FREE
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
38
docs: Document the two allocation tracking API functions
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
39
lib: Fix alignment of internal allocations for some non-amd64
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
40
lib: Make function dtdCopy use macro MALLOC
Sebastian Pipping <sebastian@pipping.org>
CVE-2025-59375
41
[CVE-2024-8176] Resolve the recursion during entity
Peter Marko <peter.marko@siemens.com>
CVE-2024-8176
Vulnerabilities#
Name
Analysis
Description
Exploitable
libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219.
Exploitable
xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations.
Exploitable
xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId.
Exploitable
xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used.
Exploitable
libexpat before 2.8.2 has an integer overflow in copyString.
Exploitable
libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen.
Exploitable
libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse.
Exploitable
libexpat before 2.8.2 has an integer overflow in getAttributeId.
Exploitable
libexpat before 2.8.2 has an integer overflow in addBinding.
Exploitable
libexpat before 2.8.2 has an integer overflow in storeAtts.
Exploitable
In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers.
Exploitable
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers in cases of a policy violation. Thus, a use-after-free can occur (similar to the CVE-2026-50219 situation).
Exploitable
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,
Exploitable
In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.
Exploitable
libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
Patched
libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.
Patched
libexpat before 2.7.5 allows an infinite loop while parsing DTD content.
Patched
libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.
Patched
In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.
Patched
In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.
Exploitable
In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.
Patched
libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.
Patched
A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.