#1140557 expat: CVE-2026-56403 CVE-2026-56404 CVE-2026-56405 CVE-2026-56406 CVE-2026-56407 CVE-2026-56408 CVE-2026-56409 CVE-2026-56410 CVE-2026-56411 CVE-2026-56412

Package:
src:expat
Source:
src:expat
Submitter:
Salvatore Bonaccorso
Date:
2026-06-25 18:51:03 UTC
Severity:
normal
Tags:
#1140557#5
Date:
2026-06-22 17:02:55 UTC
From:
To:
Hi Laszlo

Sorry more CVEs ssues for expat. I'm not going to fill individual ones
for this batch, as the main purpose is to track the new ones for
unstable, affecting 2.8.1 and to be fixed in 2.8.2 when released.

The following vulnerabilities were published for expat.

CVE-2026-56403[0]:
| libexpat before 2.8.2 has an integer overflow in storeAtts.


CVE-2026-56404[1]:
| libexpat before 2.8.2 has an integer overflow in addBinding.


CVE-2026-56405[2]:
| libexpat before 2.8.2 has an integer overflow in getAttributeId.


CVE-2026-56406[3]:
| libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer
| because it lacked a check that was present in XML_Parse.


CVE-2026-56407[4]:
| libexpat before 2.8.2 has an integer overflow in doProlog that is
| related to storeEntityValue and entity textLen.


CVE-2026-56408[5]:
| libexpat before 2.8.2 has an integer overflow in copyString.


CVE-2026-56409[6]:
| xmlwf in libexpat before 2.8.2 has an integer overflow for the
| output filename when -d outputDir is used.


CVE-2026-56410[7]:
| xmlwf in libexpat before 2.8.2 has an integer overflow in
| resolveSystemId.


CVE-2026-56411[8]:
| xmlwf in libexpat before 2.8.2 has an integer overflow in
| endDoctypeDecl via NOTATION declarations.


CVE-2026-56412[9]:
| libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in
| doCdataSection and thus lacks handler call depth tracking for
| various calls from within handlers in cases of a policy violation.
| Thus, a use-after-free can occur. NOTE: this issue exists because of
| an incomplete fix for CVE-2026-50219.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-56403
https://www.cve.org/CVERecord?id=CVE-2026-56403
[1] https://security-tracker.debian.org/tracker/CVE-2026-56404
https://www.cve.org/CVERecord?id=CVE-2026-56404
[2] https://security-tracker.debian.org/tracker/CVE-2026-56405
https://www.cve.org/CVERecord?id=CVE-2026-56405
[3] https://security-tracker.debian.org/tracker/CVE-2026-56406
https://www.cve.org/CVERecord?id=CVE-2026-56406
[4] https://security-tracker.debian.org/tracker/CVE-2026-56407
https://www.cve.org/CVERecord?id=CVE-2026-56407
[5] https://security-tracker.debian.org/tracker/CVE-2026-56408
https://www.cve.org/CVERecord?id=CVE-2026-56408
[6] https://security-tracker.debian.org/tracker/CVE-2026-56409
https://www.cve.org/CVERecord?id=CVE-2026-56409
[7] https://security-tracker.debian.org/tracker/CVE-2026-56410
https://www.cve.org/CVERecord?id=CVE-2026-56410
[8] https://security-tracker.debian.org/tracker/CVE-2026-56411
https://www.cve.org/CVERecord?id=CVE-2026-56411
[9] https://security-tracker.debian.org/tracker/CVE-2026-56412
https://www.cve.org/CVERecord?id=CVE-2026-56412

References to pull requests upstream are on the respective
security-tracker pages.

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1140557#10
Date:
2026-06-25 18:48:53 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
expat, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1140557@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated expat package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 25 Jun 2026 19:44:46 +0200
Source: expat
Architecture: source
Version: 2.8.2-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Closes: 1138862 1140387 1140388 1140557
Changes:
 expat (2.8.2-1) unstable; urgency=high
 .
   * New upstream release (closes: #1138862, #1140387, #1140388, #1140557):
     - fixes CVE-2026-56131: protect XML_ResumeParser() from being called from
       a handler,
     - fixes CVE-2026-56132: fix out-of-bound scaffolding index store in
       doProlog(),
     - fixes CVE-2026-50219: disallow calls to some functions to guard Expat
       bindings from memory corruption,
     - fixes CVE-2026-56403: integer overflow in storeAtts(),
     - fixes CVE-2026-56404: integer overflow in addBinding(),
     - fixes CVE-2026-56405: integer overflow in getAttributeId(),
     - fixes CVE-2026-56406: integer overflow in XML_ParseBuffer(),
     - fixes CVE-2026-56407: integer overflow in textLen handling,
     - fixes CVE-2026-56408: integer overflow in copyString(),
     - fixes CVE-2026-56409: integer overflow in output path join in xmlwf,
     - fixes CVE-2026-56410: integer overflow in resolveSystemId() in xmlwf,
     - fixes CVE-2026-56411: Integer overflow in notation list allocation
       in xmlwf,
     - fixes CVE-2026-56412: guard XML_TOK_DATA_CHARS handler calls
       in doCdataSection().
Checksums-Sha1:
 3f141f1ebe00e9160a6641f1d0564ac4b8ff20ff 1970 expat_2.8.2-1.dsc
 23acb997daf1a51080bb923763d4abb10a171953 8462437 expat_2.8.2.orig.tar.gz
 808f0e5034befa738d57a94a3fc9cd549838d9cf 14012 expat_2.8.2-1.debian.tar.xz
Checksums-Sha256:
 f712641d71796c80989171ffcbedd1f9af7400d23e533fd9fe00d4557779311c 1970 expat_2.8.2-1.dsc
 ca9d7c05560653cb977bfaa1ac54f717919cc0c68f6798b42fe55347c0b0ad52 8462437 expat_2.8.2.orig.tar.gz
 f2b8e4f360715497ef5d8f41d78f6ca71ee2ad5df00decc4a222ba74a4a66aa9 14012 expat_2.8.2-1.debian.tar.xz
Files:
 c0b672edf70d277079d0906ecd4a6016 1970 text optional expat_2.8.2-1.dsc
 ff239cbbf910e7d0d5f2ebe548aa9c1f 8462437 text optional expat_2.8.2.orig.tar.gz
 c51fdedb6f29a5af3c74a4e4ae21c1cb 14012 text optional expat_2.8.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmo9cfIACgkQ3OMQ54ZM
yL/BXBAAlE8GKLxbSUZIjfW7t5dQb1ni1vBIyY32mDAwsSimg9WxVfXYn7oCVJ0Y
iggJHw8CqKrNovSU9jX59KyXh31ZD1Ub5ZR+XZ7yP2vpzlyoTGoNuoPnvhbBLg/3
bvz6MzahSVI/ICRGpUXXCCceGyq4MDhOfmsl9iqX9sD+UzlWl+y9zqsgjRvjWBZw
Re8AKbMzBWAyAr/lK7yilVQESBBew5ARqyfDEXfzGA56dxDcFOGsMIGBPIZEFioY
jZyZjF7fjBXusifunJ3xUeS8OPvuu3zgRWx9vAeM1s19BYoRO2mRImkp8X/9foTm
oEvp4zkGPklYTe548LwdxWuSnCV4CjV+GHZ81HvsVINe0S656PHTkyEVDS7BDBSc
peF/tv9p3i7ZVMOj5yAaLgjfRYBla9p0jEroTmiYbjsnpPhrO5brXP2NRnPRXXjv
JMxEPsggttwWle8gUG9ZmIaeG1jfeCrQEO7hBTaP+Ku7njfuGRmWKx8g0VPOQm7N
5eBMvY0BQ62AqABJtf5CsSylOHqatbL/6LoaiO3XJ1U9gZOlab1HLKr3UqynNw+L
nBWUuc9GFdus7JRjtmO3+CrXb3G5DMzFvE48j9a3rUmbZhUeJMM1WwWf/DuMn3Be
9j+2Pjp1qLlRPFltNozQTCfRvPYyq/xjdLNws7qc88Jdk7j2hAU=
=w6NW
-----END PGP SIGNATURE-----