libexpat Stack Overflow Vulnerability Allowing Denial-of-Service

A stack overflow vulnerability has been identified in the libexpat library, versions prior to 2.7.0. This vulnerability arises from improper handling of recursive entity expansion in XML documents. When libexpat parses an XML file with deeply nested entity references, it can be forced to recurse indefinitely. This uncontrolled recursion exhausts stack space, leading to a crash. The vulnerability can cause a denial-of-service (DoS) condition and, in some cases, memory corruption, depending on the environment and how the library is used.

Impact

Exploitation of this vulnerability causes a stack overflow, leading to a segmentation fault and a crash of the application using libexpat. This behavior creates a denial-of-service condition. Additionally, in some environments, the vulnerability can be exploited to cause memory corruption.

Reproduction

The vulnerability can be reproduced by parsing an XML document that contains a long chain of recursive entity references. This can be done using the 'xmlwf' command-line tool, which is part of the libexpat distribution, to validate the XML while processing it. The 'payload1.py', 'payload2.py', and 'payload3.py' scripts, available in the libexpat GitHub repository, can be used to generate the necessary XML payloads that trigger the vulnerability.

Remediation

Users should update to libexpat version 2.7.0 or later, where this vulnerability has been fixed. Red Hat users can apply the update through the Red Hat Product Errata RHSA-2025:13681. For Debian users, the update is available in the 'expat' package version 2.7.1-2.