Stack Overflow Vulnerability in Expat Library Affecting XML Parsing
CVE-2024-8176

7.5HIGH

Key Information:

Vendor: Red Hat
Status: Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9
Vendor: CVE Published:; 14 March 2025

Summary

A stack overflow vulnerability has been identified in the libexpat library, primarily concerning its recursive entity expansion handling in XML documents. When processing XML files with a high degree of nested entity references, libexpat is susceptible to infinite recursion, ultimately leading to stack exhaustion. This behavior could result in denial of service conditions or potential memory corruption, which may vary based on the environment and implementation of the library. Users are urged to review their configurations and apply necessary patches to mitigate these risks.

References

https://access.redhat.com/security/cve/CVE-2024-8176

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2310137

issue-trackingx_refsource_REDHAT

https://github.com/libexpat/libexpat/issues/893

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 14, 2025
Vulnerability Reserved
Aug 26, 2024

Credit

This issue was discovered by Jann Horn (Google Project Zero), Sandipan Roy (Red Hat), Sebastian Pipping (libexpat), and Tomas Korbar (Red Hat).