RSS

Expat 2.8.2 released, fixes 13 vulnerabilities

spyc2 pts0 comments

Hartwork Blog · Expat 2.8.2 released, fixes 13 vulnerabilities

Skip to main content

Hartwork Blog

Free Software, Music, Chinese Chess

Expat 2.8.2 released, fixes 13 vulnerabilities

2026-06-25 17:02

For readers new to Expat:

libexpat is a fast streaming XML parser.<br>Alongside libxml2, Expat is one of the<br>most widely used<br>software libre XML parsers written in C, specifically C99.<br>It is cross-platform and licensed under<br>the MIT license.

Expat 2.8.2<br>was released<br>today.<br>The key motivation for cutting a release and doing so now<br>was getting security and non-security bugfixes out to users.<br>On the security side, 13 vulnerabilities have been fixed:

CVE-2026-50219 — missing control flow integrity checks

CVE-2026-56131 — missing control flow integrity checks

CVE-2026-56132 — out-of-bounds write

CVE-2026-56403 — integer overflow

CVE-2026-56404 — integer overflow

CVE-2026-56405 — integer overflow

CVE-2026-56406 — integer overflow

CVE-2026-56407 — integer overflow

CVE-2026-56408 — integer overflow

CVE-2026-56409 — integer overflow

CVE-2026-56410 — integer overflow

CVE-2026-56411 — integer overflow

CVE-2026-56412 — missing control flow integrity checks

The missing control flow integrity checks were brought to light by<br>Steve Stagg<br>in CPython, by<br>Yousef Shanableh,<br>Asher Darden,<br>Haris Hussain,<br>Sajin S of<br>Astra Security<br>and fixed by<br>Kartik Kenchi,<br>Haris Hussain and<br>me.

The out-of-bounds write was reported and fixed by<br>Alessandro Gario of<br>Trail of Bits,<br>Anthropic and<br>Matthew Fernandez.

The integer overflows were reported and fixed by<br>Kartik Kenchi and me.

Thanks to everyone who contributed to this release of Expat!

It it worth reminding that:

Following the curl project,<br>the libexpat project is on "security vacation" now until 2026-08-01,<br>i.e. new vulnerability reports will not be accepted until then.

CVSS scores are unreliable and not a metric to base decisions on.

For more details about this release, please<br>check out the change log.

If you maintain Expat packaging,<br>a bundled copy of Expat, or<br>a pinned version of Expat,<br>please update to version 2.8.2. Thank you!

Sebastian Pipping

expat integer overflow security released vulnerabilities

Related Articles

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

Britain Became as Poor as Mississippi

SanjayMehta15 ptsbritain mississippi next financial crisis self
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.