Advisories » MGASA-2026-0031

Updated expat packages fix security vulnerabilities

Publication date: 04 Feb 2026
Modification date: 04 Feb 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-24515 , CVE-2026-25210

Description

In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy
unknown encoding handler user data. (CVE-2026-24515)
In libexpat before 2.7.4, the doContent function does not properly
determine the buffer size bufSize because there is no integer overflow
check for tag buffer reallocation. (CVE-2026-25210)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=35089
• https://www.openwall.com/lists/oss-security/2026/01/31/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24515
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25210

SRPMS

9/core

• expat-2.7.4-1.mga9