libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.

Expat 2.4.4 has been released yesterday. Besides a memory leak bugfix to xmlwf and fixes to the build system, this release is about security fixes. There are 2 CVEs involved, both related to fixed-size integer math (integer overflow) near memory allocation, not unlike what we had with 2.4.3 before. Impact is denial of service, or more.

• CVE-2022-23852
• CVE-2022-23990

For more details, please check out the change log.

If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.4.4. Thank you!

Sebastian Pipping