CVE-2024-8176

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2025:13681
https://access.redhat.com/errata/RHSA-2025:22033
https://access.redhat.com/errata/RHSA-2025:22034
https://access.redhat.com/errata/RHSA-2025:22035
https://access.redhat.com/errata/RHSA-2025:22607
https://access.redhat.com/errata/RHSA-2025:3531
https://access.redhat.com/errata/RHSA-2025:3734
https://access.redhat.com/errata/RHSA-2025:3913
https://access.redhat.com/errata/RHSA-2025:4048
https://access.redhat.com/errata/RHSA-2025:4446
https://access.redhat.com/errata/RHSA-2025:4447
https://access.redhat.com/errata/RHSA-2025:4448
https://access.redhat.com/errata/RHSA-2025:4449
https://access.redhat.com/errata/RHSA-2025:7444
https://access.redhat.com/errata/RHSA-2025:7512
https://access.redhat.com/errata/RHSA-2025:8385
https://access.redhat.com/security/cve/CVE-2024-8176
https://bugzilla.redhat.com/show_bug.cgi?id=2310137
https://github.com/libexpat/libexpat/issues/893
http://seclists.org/fulldisclosure/2025/May/10
http://seclists.org/fulldisclosure/2025/May/11
http://seclists.org/fulldisclosure/2025/May/12
http://seclists.org/fulldisclosure/2025/May/6
http://seclists.org/fulldisclosure/2025/May/7
http://seclists.org/fulldisclosure/2025/May/8
http://www.openwall.com/lists/oss-security/2025/03/15/1
http://www.openwall.com/lists/oss-security/2025/09/24/11
https://blog.hartwork.org/posts/expat-2-7-0-released/
https://bugzilla.suse.com/show_bug.cgi?id=1239618
https://github.com/libexpat/libexpat/blob/R_2_7_0/expat/Changes#L40-L52
https://gitlab.alpinelinux.org/alpine/aports/-/commit/d068c3ff36fc6f4789988a09c69b434db757db53
https://security-tracker.debian.org/tracker/CVE-2024-8176
https://security.netapp.com/advisory/ntap-20250328-0009/
https://ubuntu.com/security/CVE-2024-8176
https://www.kb.cert.org/vuls/id/760160

Configurations

No configuration.

History

02 Dec 2025, 15:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2025:22607 -

25 Nov 2025, 11:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2025:22034 -

25 Nov 2025, 08:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2025:22033 - () https://access.redhat.com/errata/RHSA-2025:22035 -

04 Nov 2025, 22:16

Type	Values Removed	Values Added
References		() http://seclists.org/fulldisclosure/2025/May/10 - () http://seclists.org/fulldisclosure/2025/May/11 - () http://seclists.org/fulldisclosure/2025/May/12 - () http://seclists.org/fulldisclosure/2025/May/6 - () http://seclists.org/fulldisclosure/2025/May/7 - () http://seclists.org/fulldisclosure/2025/May/8 - () http://www.openwall.com/lists/oss-security/2025/09/24/11 -

Information

Published : 2025-03-14 09:15

Updated : 2025-12-02 15:15

NVD link : CVE-2024-8176

Mitre link : CVE-2024-8176

CVE.ORG link : CVE-2024-8176

JSON object : View

Products Affected

No product.

CWE

CWE-674

Uncontrolled Recursion

7.5 /10