#1138862 expat: CVE-2026-50219

Package:
src:expat
Source:
src:expat
Submitter:
Salvatore Bonaccorso
Date:
2026-06-25 18:51:02 UTC
Severity:
normal
Tags:
#1138862#5
Date:
2026-06-04 20:06:16 UTC
From:
To:
Hi,

The following vulnerability was published for expat.

CVE-2026-50219[0]:
| libexpat before 2.8.2 lacks handler call depth tracking for calls to
| XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or
| XML_ParserReset from within handlers in cases of a policy violation.
| Thus, a use-after-free can occur,


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-50219
https://www.cve.org/CVERecord?id=CVE-2026-50219
[1] https://github.com/libexpat/libexpat/pull/1246

Regards,
Salvatore
#1138862#12
Date:
2026-06-25 18:48:53 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1138862@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated expat package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 25 Jun 2026 19:44:46 +0200
Source: expat
Architecture: source
Version: 2.8.2-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Closes: 1138862 1140387 1140388 1140557
Changes:
 expat (2.8.2-1) unstable; urgency=high
 .
   * New upstream release (closes: #1138862, #1140387, #1140388, #1140557):
     - fixes CVE-2026-56131: protect XML_ResumeParser() from being called from
       a handler,
     - fixes CVE-2026-56132: fix out-of-bound scaffolding index store in
       doProlog(),
     - fixes CVE-2026-50219: disallow calls to some functions to guard Expat
       bindings from memory corruption,
     - fixes CVE-2026-56403: integer overflow in storeAtts(),
     - fixes CVE-2026-56404: integer overflow in addBinding(),
     - fixes CVE-2026-56405: integer overflow in getAttributeId(),
     - fixes CVE-2026-56406: integer overflow in XML_ParseBuffer(),
     - fixes CVE-2026-56407: integer overflow in textLen handling,
     - fixes CVE-2026-56408: integer overflow in copyString(),
     - fixes CVE-2026-56409: integer overflow in output path join in xmlwf,
     - fixes CVE-2026-56410: integer overflow in resolveSystemId() in xmlwf,
     - fixes CVE-2026-56411: Integer overflow in notation list allocation
       in xmlwf,
     - fixes CVE-2026-56412: guard XML_TOK_DATA_CHARS handler calls
       in doCdataSection().
Checksums-Sha1:
 3f141f1ebe00e9160a6641f1d0564ac4b8ff20ff 1970 expat_2.8.2-1.dsc
 23acb997daf1a51080bb923763d4abb10a171953 8462437 expat_2.8.2.orig.tar.gz
 808f0e5034befa738d57a94a3fc9cd549838d9cf 14012 expat_2.8.2-1.debian.tar.xz
Checksums-Sha256:
 f712641d71796c80989171ffcbedd1f9af7400d23e533fd9fe00d4557779311c 1970 expat_2.8.2-1.dsc
 ca9d7c05560653cb977bfaa1ac54f717919cc0c68f6798b42fe55347c0b0ad52 8462437 expat_2.8.2.orig.tar.gz
 f2b8e4f360715497ef5d8f41d78f6ca71ee2ad5df00decc4a222ba74a4a66aa9 14012 expat_2.8.2-1.debian.tar.xz
Files:
 c0b672edf70d277079d0906ecd4a6016 1970 text optional expat_2.8.2-1.dsc
 ff239cbbf910e7d0d5f2ebe548aa9c1f 8462437 text optional expat_2.8.2.orig.tar.gz
 c51fdedb6f29a5af3c74a4e4ae21c1cb 14012 text optional expat_2.8.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmo9cfIACgkQ3OMQ54ZM
yL/BXBAAlE8GKLxbSUZIjfW7t5dQb1ni1vBIyY32mDAwsSimg9WxVfXYn7oCVJ0Y
iggJHw8CqKrNovSU9jX59KyXh31ZD1Ub5ZR+XZ7yP2vpzlyoTGoNuoPnvhbBLg/3
bvz6MzahSVI/ICRGpUXXCCceGyq4MDhOfmsl9iqX9sD+UzlWl+y9zqsgjRvjWBZw
Re8AKbMzBWAyAr/lK7yilVQESBBew5ARqyfDEXfzGA56dxDcFOGsMIGBPIZEFioY
jZyZjF7fjBXusifunJ3xUeS8OPvuu3zgRWx9vAeM1s19BYoRO2mRImkp8X/9foTm
oEvp4zkGPklYTe548LwdxWuSnCV4CjV+GHZ81HvsVINe0S656PHTkyEVDS7BDBSc
peF/tv9p3i7ZVMOj5yAaLgjfRYBla9p0jEroTmiYbjsnpPhrO5brXP2NRnPRXXjv
JMxEPsggttwWle8gUG9ZmIaeG1jfeCrQEO7hBTaP+Ku7njfuGRmWKx8g0VPOQm7N
5eBMvY0BQ62AqABJtf5CsSylOHqatbL/6LoaiO3XJ1U9gZOlab1HLKr3UqynNw+L
nBWUuc9GFdus7JRjtmO3+CrXb3G5DMzFvE48j9a3rUmbZhUeJMM1WwWf/DuMn3Be
9j+2Pjp1qLlRPFltNozQTCfRvPYyq/xjdLNws7qc88Jdk7j2hAU=
=w6NW
-----END PGP SIGNATURE-----