Skip to main content

Hartwork Blog

Free Software, Music, Chinese Chess

Expat 2.8.0 released, includes security fixes

For readers new to Expat:

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, specifically C99. It is cross-platform and licensed under the MIT license.

Expat 2.8.0 was released two days ago. The key motivation for cutting a release and doing so now was:

  • Addressing security issue CVE-2026-41080 — insufficient entropy (CWE-331) —, and also
  • Getting support for entropy extractor getentropy(3) as well as bugfixes in the hands of users.

So, a summary "entropy and bugfixes" would be on point for the theme of this release.

What is entropy, and what does Expat need it for?

Entropy (in computing) is the amount of information that an attacker does not know. If your banking card pin has four decimal digits, from 0000 to 9999, that's 10,000 possible combinations; that's roughly 14 bits or less than two bytes of entropy — import math; math.ceil(math.log2(10_000) / 8) in Python — that the attacker is missing.

Expat needs high-quality entropy for a salt with its internal hash tables. Without an unknown-to-the-attacker hash salt, a hash table can be attacked using hash flooding, allowing denial of service attacks through crafted XML documents.

Now Expat 2.8.0 uses more entropy than past releases — 16 bytes rather than previously 4 to 8 bytes (depending on architecture) —, starts supporting entropy provider getentropy(3) in the many systems that offer it (including WASI, that lacks all other previously supported providers like getrandom or arc4random), and also offers a new API function XML_SetHashSalt16Bytes that overcomes the limitations of its predecessor XML_SetHashSalt.

For implementing the new cross-platform getentropy(3) support, I teamed up with Jérôme Duval. The bug fixes were contributed by Matthew Fernandez: the maintainer of Graphviz. Thanks to everyone who contributed to this release of Expat!

For more details about this release, please check out the change log.

If you maintain Expat packaging, a bundled copy of Expat, or a pinned version of Expat, please update to version 2.8.0. Thank you!

Sebastian Pipping