Overview
A stack overflow vulnerability has been discovered within the libexpat open source library. When parsing XML documents with deeply nested entity references, libexpat can recurse indefinitely. This can result in exhaustion of stack space and a crash. An attacker can weaponize this to either perform denial of service (DoS) attacks or memory corruption attacks, based on the libexpat environment and library usage.
Description
libexpat is an Open Source XML parsing library. It is a stream oriented XML parsing library written in the C programming language. It can be used in particular with large files difficult for processing in RAM. A vulnerability has been discovered, tracked as CVE-2024-8176. The vulnerability description can be observed below.
CVE-2024-8176
A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.
Impact
An attacker with access to software that uses libexpat could provide a XML document to the program and cause a DoS attack or memory corruption attack. libexpat is used in a variety of different software, and by various companies.
Solution
A patch for the vulnerability has been provided in version 2.7.0 of libexpat. Groups that use libexpat can verify their patch using the POCs provided here: https://github.com/libexpat/libexpat/issues/893#payload_generators
Acknowledgements
This vulnerability was reported to us by the maintainer of the project, Sebastian Pipping, to increase awareness. The vulnerability was originally discovered by Jann Horn of Googles Project Zero. Vendors who wish to join the discussion within VINCE can do so here: https://www.kb.cert.org/vince/. This document was written by Christopher Cullen.
Vendor Information
Arch Linux Affected
Statement Date: April 15, 2025
| CVE-2024-8176 | Affected |
Vendor Statement
We used to be affected but we updated to 2.7.0 a long time now: https://archlinux.org/packages/core/x86_64/expat/
Debian GNU/Linux Affected
Statement Date: March 26, 2025
| CVE-2024-8176 | Affected |
Vendor Statement
We are tracking this CVE there: https://security-tracker.debian.org/tracker/CVE-2024-8176
References
D-Link Systems Inc. Affected
Statement Date: April 09, 2025
| CVE-2024-8176 | Affected |
Vendor Statement
D-Link Corporation recognizes the report. Upon investigation we have found the following devices and their firmwares would fall under use of the accused library.
+--------------+--------------+----------+ | Model | Version | Fix date | +--------------+--------------+----------+ | DOM-550-GSO | A1/1.00.02 | TBD | | DOM-530-TSO | A1/1.00.01 | TBD | | DWM-313 | C1/2.00.00 | TBD | | DWM-530-T | A1/1.00.01 | TBD | | DWM-313 | B1/1.01.02 | TBD | | R18 | A1/1.03B02 | TBD | | M18 | A1/1.03B02 | TBD | | DSR-250v2 | B1/1.02.004 | EOL | | DBG-2000 | A1/2.23.B001 | EOL | +--------------+--------------+----------+ Contact D-Link US SIRT: security @ dlink.com
FreeBSD Affected
Statement Date: April 03, 2025
| CVE-2024-8176 | Affected |
Vendor Statement
The FreeBSD base system ships an affected version of expat in contrib as libbsdxml. Since this library is only used by unbound-anchor(8) and tar(1) in the base system, we are not treating this bug as a security vulnerability. The scope for parsing XML from untrusted sources is extremely limited and any exploit would be self-inflicted.
We will issue an errata notice in the coming days to bring affected systems to expat 2.7.1. Our errata notice will advise users to check if they have installed expat from ports or as a package. Those systems may be vulnerable.
The ports tree was already updated with expat 2.7.1 and pkg audit will advise users if they may be affected.
Gentoo Linux Affected
Statement Date: March 28, 2025
| CVE-2024-8176 | Affected |
Vendor Statement
We have not received a statement from the vendor.
HardenedBSD Affected
Statement Date: March 25, 2025
| CVE-2024-8176 | Affected |
Vendor Statement
HardenedBSD ships with libexpat in the base operating system. We inherit it from our upstream, FreeBSD.
Illumos Affected
Statement Date: March 26, 2025
| CVE-2024-8176 | Affected |
Vendor Statement
illumos proper has one component that uses libexpat, namely hald. Not all distributions ship hald. Most distributions, however, do use libexpat for other purposes, and they should update to 2.7.0 if they aren't already, just for code hygeine.
hald is a global-zone daemon, so an attacker would need access to the global zone, possibly privileged access, to attempt an exploit.
Other attack surfaces will depend on other distros' uses of libexpat.
Intel Affected
Statement Date: April 29, 2025
| CVE-2024-8176 | Affected |
Vendor Statement
please review Intel's security announcement here: https://www.intel.com/content/www/us/en/security-center/announcement/intel-security-announcement-2025-4-15-001.html
References
NetApp Affected
Statement Date: April 14, 2025
| CVE-2024-8176 | Affected |
Vendor Statement
NetApp advisory: https://security.netapp.com/advisory/NTAP-20250328-0009
NixOS Affected
Statement Date: April 14, 2025
| CVE-2024-8176 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Red Hat Affected
Statement Date: April 15, 2025
| CVE-2024-8176 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
Rocky Linux Affected
Statement Date: April 07, 2025
| CVE-2024-8176 | Affected |
Vendor Statement
We have not received a statement from the vendor.
SUSE Linux Affected
Statement Date: March 25, 2025
| CVE-2024-8176 | Affected |
Vendor Statement
SUSE ships libexpat affected by this problem, however -fstack-clash-protection is active in our distributions and mitigates the issue.
References
Triton Data Center Affected
Statement Date: March 28, 2025
| CVE-2024-8176 | Affected |
Vendor Statement
SmartOS is one of the illumos distros that does not ship hald from its downstream illumos.
However, SmartOS ships a node.js component that uses a self-built fork of node-expat, a front-end to libexpat. This component does not get accessed outside the confines of SmartOS VM operations, where expat is used to parse XML files generated by other non-expat illumos utilities (/etc/zones/*.xml).
Unless the attacker has access to a SmartOS's global zone with privileges to alter files in /etc/zones, either with the likes of vmadm(8), zonecfg(8), or zoneadm(8), or by using direct file operations, the attack surface is low.
As a precaution, SmartOS will have an updated platform-only libexpat starting with release 20240403. The OS ticket in the case references will be made public, and the commit is already in illumos-extra repo as of today. Also upon embargo lifting, a Triton Product Security notice about this will land on https://security.tritondatacenter.com/
References
Ubuntu Affected
Statement Date: April 15, 2025
| CVE-2024-8176 | Affected |
Vendor Statement
https://ubuntu.com/security/CVE-2024-8176
GnuTLS Not Affected
Statement Date: March 25, 2025
| CVE-2024-8176 | Not Affected |
Vendor Statement
GnuTLS, libtasn1, guile-gnutls is not using libexpat
Joyent Not Affected
Statement Date: April 03, 2025
| CVE-2024-8176 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Microsoft Not Affected
Statement Date: April 29, 2025
| CVE-2024-8176 | Not Affected |
Vendor Statement
Based on MSRC's investigation, libexpat is only used to parse xml returned from bing servers as validated by https. This code also runs in an app sandbox which further limits exploitability. This has been deprecated and will be removed upon the completion of the 1 year minimum wait period.
References
OpenSSL Not Affected
Statement Date: March 25, 2025
| CVE-2024-8176 | Not Affected |
Vendor Statement
We do not use libexpat at all.
OPNsense Not Affected
Statement Date: March 25, 2025
| CVE-2024-8176 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
AERAsec Network Services and Security GMbH Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
AirWatch Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Alcatel-Lucent Enterprise Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Alpine Linux Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Alt-n Technologies Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Amazon Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Android Open Source Project Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Apple Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Arista Networks Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Aruba Networks Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Astaro Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Avaya Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Belkin Inc. Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
BlackBerry Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Blackberry QNX Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
CA Technologies Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Check Point Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Cisco Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Cricket Wireless Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Dell EMC Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
DesktopBSD Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
DragonFly BSD Project Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Exim Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
F5 Networks Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Forcepoint Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Fortinet Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Global Technology Associates Inc. Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Google Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Hewlett Packard Enterprise Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Hitachi Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
HP Inc. Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
HTC Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Huawei Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
IBM Numa-Q Division (Formerly Sequent) Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Juniper Networks Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Kerio Technologies Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Lenovo Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
LG Electronics Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
m0n0wall Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Marconi Inc. Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
McAfee Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Micro Focus Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Motorola Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
NEC Corporation Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
NetBSD Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Netfilter Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Netscreen Inc. Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Nexenta Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Nokia Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
OpenBSD Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
OpenIndiana Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
OpenSSL Project Mime Peer Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Openwall GNU/*/Linux Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Oracle Corporation Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Palo Alto Networks Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
pfSense Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
QBIK New Zealand Limited Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Samsung Mobile Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Slackware Linux Inc. Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
SmoothWall Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Sony Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Symantec Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Synology Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Tenable Network Security Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Tizen Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
TrueOS Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Turbolinux Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Unisys Corporation Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Univention Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Watchguard Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Xiaomi Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
XigmaNAS Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Zyxel Unknown
| CVE-2024-8176 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-8176
- https://blog.hartwork.org/posts/expat-2-7-0-released/
- https://github.com/libexpat/libexpat/issues/893
- http://www.openwall.com/lists/oss-security/2025/03/15/1
- https://access.redhat.com/errata/RHSA-2025:3531
- https://access.redhat.com/errata/RHSA-2025:3734
- https://access.redhat.com/errata/RHSA-2025:3913
- https://access.redhat.com/errata/RHSA-2025:4048
- https://access.redhat.com/security/cve/CVE-2024-8176
- https://blog.hartwork.org/posts/expat-2-7-0-released/
- https://bugzilla.redhat.com/show_bug.cgi?id=2310137
- https://bugzilla.suse.com/show_bug.cgi?id=1239618
- https://github.com/libexpat/libexpat/blob/R_2_7_0/expat/Changes#L40-L52
- https://gitlab.alpinelinux.org/alpine/aports/-/commit/d068c3ff36fc6f4789988a09c69b434db757db53
- https://security-tracker.debian.org/tracker/CVE-2024-8176
- https://security.netapp.com/advisory/ntap-20250328-0009/
- https://ubuntu.com/security/CVE-2024-8176
Other Information
| CVE IDs: | CVE-2024-8176 |
| API URL: | VINCE JSON | CSAF |
| Date Public: | 2025-05-09 |
| Date First Published: | 2025-05-09 |
| Date Last Updated: | 2025-05-09 10:49 UTC |
| Document Revision: | 1 |