expat is a stream-oriented XML parser library written in C. expat excels with files too large to fit RAM, and where performance and flexibility are crucial.
Security Fix(es):
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers in cases of a policy violation. Thus, a use-after-free can occur (similar to the CVE-2026-50219 situation).(CVE-2026-56131)
In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers.(CVE-2026-56132)
{
"severity": "Medium"
}{
"x86_64": [
"expat-2.2.9-27.oe2003sp4.x86_64.rpm",
"expat-debuginfo-2.2.9-27.oe2003sp4.x86_64.rpm",
"expat-debugsource-2.2.9-27.oe2003sp4.x86_64.rpm",
"expat-devel-2.2.9-27.oe2003sp4.x86_64.rpm"
],
"aarch64": [
"expat-2.2.9-27.oe2003sp4.aarch64.rpm",
"expat-debuginfo-2.2.9-27.oe2003sp4.aarch64.rpm",
"expat-debugsource-2.2.9-27.oe2003sp4.aarch64.rpm",
"expat-devel-2.2.9-27.oe2003sp4.aarch64.rpm"
],
"noarch": [
"expat-help-2.2.9-27.oe2003sp4.noarch.rpm"
],
"src": [
"expat-2.2.9-27.oe2003sp4.src.rpm"
]
}