For readers new to Expat:

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, specifically C99. It is cross-platform and licensed under the MIT license.

Expat 2.8.2 was released today. The key motivation for cutting a release and doing so now was getting security and non-security bugfixes out to users. On the security side, 13 vulnerabilities have been fixed:

• CVE-2026-50219 — missing control flow integrity checks
• CVE-2026-56131 — missing control flow integrity checks
• CVE-2026-56132 — out-of-bounds write
• CVE-2026-56403 — integer overflow
• CVE-2026-56404 — integer overflow
• CVE-2026-56405 — integer overflow
• CVE-2026-56406 — integer overflow
• CVE-2026-56407 — integer overflow
• CVE-2026-56408 — integer overflow
• CVE-2026-56409 — integer overflow
• CVE-2026-56410 — integer overflow
• CVE-2026-56411 — integer overflow
• CVE-2026-56412 — missing control flow integrity checks

The missing control flow integrity checks were brought to light by Steve Stagg in CPython, by Yousef Shanableh, Asher Darden, Haris Hussain, Sajin S of Astra Security and fixed by Kartik Kenchi, Haris Hussain and me.

The out-of-bounds write was reported and fixed by Alessandro Gario of Trail of Bits, Anthropic and Matthew Fernandez.

The integer overflows were reported and fixed by Kartik Kenchi and me.

Thanks to everyone who contributed to this release of Expat!

It it worth reminding that:

• Following the curl project, the libexpat project is on "security vacation" now until 2026-08-01, i.e. new vulnerability reports will not be accepted until then.
• CVSS scores are unreliable and not a metric to base decisions on.

For more details about this release, please check out the change log.

If you maintain Expat packaging, a bundled copy of Expat, or a pinned version of Expat, please update to version 2.8.2. Thank you!

Sebastian Pipping