{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/760160#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\n\r\nA stack overflow vulnerability has been discovered within the libexpat open source library. When parsing XML documents with deeply nested entity references, libexpat can recurse indefinitely. This can result in exhaustion of stack space and a crash. An attacker can weaponize this to either perform denial of service (DoS) attacks or memory corruption attacks, based on the libexpat environment and library usage. \r\n\r\n### Description\r\n\r\nlibexpat is an Open Source XML parsing library. It is a stream oriented XML parsing library written in the C programming language. It can be used in particular with large files difficult for processing in RAM. A vulnerability has been discovered, tracked as CVE-2024-8176. The vulnerability description can be observed below.\r\n\r\n**CVE-2024-8176**\r\n\r\nA stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.\r\n\r\n### Impact\r\nAn attacker with access to software that uses libexpat could provide a XML document to the program and cause a DoS attack or memory corruption attack. libexpat is used in a variety of different [software, and by various companies](https://libexpat.github.io/doc/users/). \r\n\r\n### Solution\r\nA patch for the vulnerability has been provided in [version 2.7.0 of libexpat](https://github.com/libexpat/libexpat/releases/tag/R_2_7_0). Groups that use libexpat can verify their patch using the POCs provided here: https://github.com/libexpat/libexpat/issues/893#payload_generators\r\n\r\n### Acknowledgements\r\nThis vulnerability was reported to us by the maintainer of the project, Sebastian Pipping, to increase awareness. The vulnerability was originally discovered by Jann Horn of Googles Project Zero. Vendors who wish to join the discussion within VINCE can do so here: https://www.kb.cert.org/vince/. This document was written by Christopher Cullen.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"SUSE ships libexpat affected by this problem, however -fstack-clash-protection is active in our distributions and mitigates the issue.","title":"Vendor statment from SUSE Linux"},{"category":"other","text":"D-Link Corporation recognizes the report. Upon investigation we have found the following devices and their firmwares would fall under use of the accused library.\r\n\r\n+--------------+--------------+----------+\r\n| Model        | Version      | Fix date |\r\n+--------------+--------------+----------+\r\n| DOM-550-GSO  | A1/1.00.02   | TBD      |\r\n| DOM-530-TSO  | A1/1.00.01   | TBD      |\r\n| DWM-313      | C1/2.00.00   | TBD      |\r\n| DWM-530-T    | A1/1.00.01   | TBD      |\r\n| DWM-313      | B1/1.01.02   | TBD      |\r\n| R18          | A1/1.03B02   | TBD      |\r\n| M18          | A1/1.03B02   | TBD      |\r\n| DSR-250v2    | B1/1.02.004  | EOL      |\r\n| DBG-2000     | A1/2.23.B001 | EOL      |\r\n+--------------+--------------+----------+\r\nContact D-Link US SIRT: security @ dlink.com","title":"Vendor statment from D-Link Systems Inc."},{"category":"other","text":"Based on MSRC's investigation, libexpat is only used to parse xml returned from bing servers as validated by https. This code also runs in an app sandbox which further limits exploitability. This has been deprecated and will be removed upon the completion of the 1 year minimum wait period.","title":"Vendor statment from Microsoft"},{"category":"other","text":"please review Intel's security announcement here: https://www.intel.com/content/www/us/en/security-center/announcement/intel-security-announcement-2025-4-15-001.html","title":"Vendor statment from Intel"},{"category":"other","text":"F5 has published the security advisory for the vulnerability https://my.f5.com/manage/s/article/K000151869","title":"Vendor statment from F5 Networks"},{"category":"other","text":"HardenedBSD ships with libexpat in the base operating system. We inherit it from our upstream, FreeBSD.","title":"Vendor statment from HardenedBSD"},{"category":"other","text":"GnuTLS, libtasn1, guile-gnutls is not using libexpat","title":"Vendor statment from GnuTLS"},{"category":"other","text":"We do not use libexpat at all.","title":"Vendor statment from OpenSSL"},{"category":"other","text":"illumos proper has one component that uses libexpat, namely hald.  Not all distributions ship hald.  Most distributions, however, do use libexpat for other purposes, and they should update to 2.7.0 if they aren't already, just for code hygeine.\r\n\r\nhald is a global-zone daemon, so an attacker would need access to the global zone, possibly privileged access, to attempt an exploit.\r\n\r\nOther attack surfaces will depend on other distros' uses of libexpat.","title":"Vendor statment from Illumos"},{"category":"other","text":"We are tracking this CVE there: https://security-tracker.debian.org/tracker/CVE-2024-8176","title":"Vendor statment from Debian GNU/Linux"},{"category":"other","text":"SmartOS is one of the illumos distros that does not ship hald from its downstream illumos.\r\n\r\nHowever, SmartOS ships a node.js component that uses a self-built fork of node-expat, a front-end to libexpat.  This component does not get accessed outside the confines of SmartOS VM operations, where expat is used to parse XML files generated by other non-expat illumos utilities (`/etc/zones/*.xml`).\r\n\r\nUnless the attacker has access to a SmartOS's global zone with privileges to alter files in `/etc/zones`, either with the likes of vmadm(8), zonecfg(8), or zoneadm(8), or by using direct file operations, the attack surface is low.\r\n\r\nAs a precaution, SmartOS will have an updated platform-only libexpat starting with release 20240403.  The OS ticket in the case references will be made public, and the commit is already in illumos-extra repo as of today.  Also upon embargo lifting, a Triton Product Security notice about this will land on https://security.tritondatacenter.com/","title":"Vendor statment from Triton Data Center"},{"category":"other","text":"We used to be affected but we updated to 2.7.0 a long time now: https://archlinux.org/packages/core/x86_64/expat/","title":"Vendor statment from Arch Linux"},{"category":"other","text":"The FreeBSD base system ships an affected version of expat in contrib as libbsdxml.  Since this library is only used by unbound-anchor(8) and tar(1) in the base system, we are not treating this bug as a security vulnerability.  The scope for parsing XML from untrusted sources is extremely limited and any exploit would be self-inflicted.\r\n\r\nWe will issue an errata notice in the coming days to bring affected systems to expat 2.7.1.  Our errata notice will advise users to check if they have installed expat from ports or as a package.  Those systems may be vulnerable.\r\n\r\nThe ports tree was already updated with expat 2.7.1 and `pkg audit` will advise users if they may be affected.","title":"Vendor statment from FreeBSD"},{"category":"other","text":"https://ubuntu.com/security/CVE-2024-8176","title":"Vendor statment from Ubuntu"},{"category":"other","text":"NetApp advisory: https://security.netapp.com/advisory/NTAP-20250328-0009","title":"Vendor statment from NetApp"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/760160"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-8176","summary":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-8176"},{"url":"https://blog.hartwork.org/posts/expat-2-7-0-released/","summary":"https://blog.hartwork.org/posts/expat-2-7-0-released/"},{"url":"https://github.com/libexpat/libexpat/issues/893","summary":"https://github.com/libexpat/libexpat/issues/893"},{"url":"https://ubuntu.com/security/CVE-2024-8176","summary":"https://ubuntu.com/security/CVE-2024-8176"},{"url":"https://www.suse.com/security/cve/CVE-2024-8176.html","summary":"Reference(s) from vendor \"SUSE Linux\""},{"url":"https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features?branch=main&branchFallbackFrom=pr-en-us-10717#deprecated-features:~:text=April%202025-,Windows%20UWP%20Map%20control%20and%20Windows%20Maps%20platform%20APIs,-The%20Windows%20UWP","summary":"Reference(s) from vendor \"Microsoft\""},{"url":"https://www.intel.com/content/www/us/en/security-center/announcement/intel-security-announcement-2025-4-15-001.html","summary":"Reference(s) from vendor \"Intel\""},{"url":"https://security-tracker.debian.org/tracker/CVE-2024-8176","summary":"Reference(s) from vendor \"Debian GNU/Linux\""},{"url":"https://smartos.org/bugview/OS-8640","summary":"Reference(s) from vendor \"Triton Data Center\""},{"url":"https://smartos.org/bugview/OS-8643","summary":"Reference(s) from vendor \"Triton Data Center\""},{"url":"https://security.tritondatacenter.com/","summary":"Reference(s) from vendor \"Triton Data Center\""},{"url":"https://access.redhat.com/security/cve/CVE-2024-8176","summary":"Reference(s) from vendor \"Red Hat\""},{"url":"https://github.com/NixOS/nixpkgs/pull/390052","summary":"Reference(s) from vendor \"NixOS\""}],"title":"libexpat library is vulnerable to DoS attacks through stack overflow","tracking":{"current_release_date":"2025-07-17T12:42:19+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#760160","initial_release_date":"2025-05-09 10:49:19.326430+00:00","revision_history":[{"date":"2025-07-17T12:42:19+00:00","number":"1.20250717124219.2","summary":"Released on 2025-07-17T12:42:19+00:00"}],"status":"final","version":"1.20250717124219.2"}},"vulnerabilities":[{"title":"A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents.","notes":[{"category":"summary","text":"A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage."}],"cve":"CVE-2024-8176","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#760160"}],"product_status":{"known_affected":["CSAFPID-a9146802-344c-11f1-8422-122e2785dc9f","CSAFPID-a9151540-344c-11f1-8422-122e2785dc9f","CSAFPID-a9155c4e-344c-11f1-8422-122e2785dc9f","CSAFPID-a9162b2e-344c-11f1-8422-122e2785dc9f","CSAFPID-a9167c96-344c-11f1-8422-122e2785dc9f","CSAFPID-a916d9f2-344c-11f1-8422-122e2785dc9f","CSAFPID-a917391a-344c-11f1-8422-122e2785dc9f","CSAFPID-a9178ab4-344c-11f1-8422-122e2785dc9f","CSAFPID-a917cdbc-344c-11f1-8422-122e2785dc9f","CSAFPID-a9181c90-344c-11f1-8422-122e2785dc9f","CSAFPID-a918c960-344c-11f1-8422-122e2785dc9f","CSAFPID-a9191050-344c-11f1-8422-122e2785dc9f","CSAFPID-a9196898-344c-11f1-8422-122e2785dc9f","CSAFPID-a919b5aa-344c-11f1-8422-122e2785dc9f","CSAFPID-a91a0852-344c-11f1-8422-122e2785dc9f","CSAFPID-a91a9f88-344c-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-a914d47c-344c-11f1-8422-122e2785dc9f","CSAFPID-a915b1d0-344c-11f1-8422-122e2785dc9f","CSAFPID-a915f320-344c-11f1-8422-122e2785dc9f","CSAFPID-a91871a4-344c-11f1-8422-122e2785dc9f","CSAFPID-a91a530c-344c-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"F5 Networks","product":{"name":"F5 Networks Products","product_id":"CSAFPID-a9146802-344c-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"OPNsense","product":{"name":"OPNsense Products","product_id":"CSAFPID-a914d47c-344c-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"SUSE Linux","product":{"name":"SUSE Linux Products","product_id":"CSAFPID-a9151540-344c-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"HardenedBSD","product":{"name":"HardenedBSD Products","product_id":"CSAFPID-a9155c4e-344c-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"GnuTLS","product":{"name":"GnuTLS Products","product_id":"CSAFPID-a915b1d0-344c-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"OpenSSL","product":{"name":"OpenSSL Products","product_id":"CSAFPID-a915f320-344c-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Illumos","product":{"name":"Illumos Products","product_id":"CSAFPID-a9162b2e-344c-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Debian GNU/Linux","product":{"name":"Debian GNU/Linux Products","product_id":"CSAFPID-a9167c96-344c-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Triton Data Center","product":{"name":"Triton Data Center Products","product_id":"CSAFPID-a916d9f2-344c-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Arch Linux","product":{"name":"Arch Linux Products","product_id":"CSAFPID-a917391a-344c-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Gentoo Linux","product":{"name":"Gentoo Linux Products","product_id":"CSAFPID-a9178ab4-344c-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-a917cdbc-344c-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"FreeBSD","product":{"name":"FreeBSD Products","product_id":"CSAFPID-a9181c90-344c-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Joyent","product":{"name":"Joyent Products","product_id":"CSAFPID-a91871a4-344c-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Ubuntu","product":{"name":"Ubuntu Products","product_id":"CSAFPID-a918c960-344c-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Rocky Linux","product":{"name":"Rocky Linux Products","product_id":"CSAFPID-a9191050-344c-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"D-Link Systems Inc.","product":{"name":"D-Link Systems Inc. Products","product_id":"CSAFPID-a9196898-344c-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"NixOS","product":{"name":"NixOS Products","product_id":"CSAFPID-a919b5aa-344c-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"NetApp","product":{"name":"NetApp Products","product_id":"CSAFPID-a91a0852-344c-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-a91a530c-344c-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-a91a9f88-344c-11f1-8422-122e2785dc9f"}}]}}