Source: expat
Version: 2.8.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/libexpat/libexpat/pull/1267
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for expat.

CVE-2026-56131[0]:
| libexpat before 2.8.2 lacks handler call depth tracking for calls to
| XML_ResumeParser from within handlers in cases of a policy
| violation. Thus, a use-after-free can occur (similar to the
| CVE-2026-50219 situation).


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-56131
    https://www.cve.org/CVERecord?id=CVE-2026-56131
[1] https://github.com/libexpat/libexpat/pull/1267

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to