For readers new to Expat:

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, specifically C99. It is cross-platform and licensed under the MIT license.

Expat 2.7.4 was released earlier today. The key motivation for cutting a release and doing so now is two security fixes:

• CVE-2026-24515 — NULL pointer dereference (CWE-476)
• CVE-2026-25210 — integer overflow (CWE-190)

The NULL pointer dereference finding and fix were contributed by Artiphishell Inc., and originated in AI.

Another highlight in this release is the introduction of (off-by-default) symbol versioning which Gordon Messmer of Fedora and I teamed up for. If you have seen things like @@GLIBC_2.42 before, it's that same kind of symbol versioning. The rest of the release consists of a mix of minor improvements and fixes, particularly to both build systems, documentation, and infrastructure.

Thanks to everyone who contributed to this release of Expat!

For more details about this release, please check out the change log.

If you maintain Expat packaging, a bundled copy of Expat, or a pinned version of Expat, please update to version 2.7.4. Thank you!

Sebastian Pipping