libexpat: denial of service via crafted XML input

A flaw was found in libexpat. When processing a specially crafted XML input containing a specific pattern of attributes, the parsing time increases quadratically due to checks for attribute name collisions. This consumes excessive CPU resources and eventually results in a denial of service...

UBUNTU-CVE-2026-56407

libexpat before 2.8.2 has an integer overflow in doProlog that is rela...

UBUNTU-CVE-2026-56411

xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDe...

UBUNTU-CVE-2026-56410

xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSyste...

UBUNTU-CVE-2026-56131

libexpat before 2.8.2 lacks handler call depth tracking for calls to X...

UBUNTU-CVE-2026-56408

libexpat before 2.8.2 has an integer overflow in copyString...

UBUNTU-CVE-2026-56132

In libexpat before 2.8.2, there is a heap-based buffer overflow in doP...

UBUNTU-CVE-2026-56409

xmlwf in libexpat before 2.8.2 has an integer overflow for the output...

UBUNTU-CVE-2026-56403

libexpat before 2.8.2 has an integer overflow in storeAtts...

CVE-2026-56411

xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations...

CVE-2026-56412

libexpat before 2.8.2 does not consider XMLTOKDATACHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219...

CVE-2026-56408

libexpat before 2.8.2 has an integer overflow in copyString...

CVE-2026-56410

xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId...

CVE-2026-56409

xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used...

CVE-2026-56404

libexpat before 2.8.2 has an integer overflow in addBinding...

CVE-2026-56405

libexpat before 2.8.2 has an integer overflow in getAttributeId...

CVE-2026-56406

libexpat before 2.8.2 has an integer overflow in XMLParseBuffer because it lacked a check that was present in XMLParse...

CVE-2026-56412

libexpat before 2.8.2 does not consider XMLTOKDATACHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219...

CVE-2026-56412

libexpat before 2.8.2 does not consider XMLTOKDATACHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219...

EUVD-2026-38189

libexpat before 2.8.2 does not consider XMLTOKDATACHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219...