CVE-2024-8176 — Uncontrolled Recursion in Expat

CWE-674 — Uncontrolled Recursion21 documents11 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 38.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Expat Debian Libxmltok Apple IOS 18.5 AND Ipados +13 more

Timeline

PublishedMar 14

Latest updateMar 3

Description

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages16 packages

▶debiandebian/expat< expat 2.5.0-1+deb12u2 (bookworm)

▶debiandebian/libxmltok< expat 2.5.0-1+deb12u2 (bookworm)

▶Appleapple/tvos18.5

▶Appleapple/ipados17.7.7

▶Appleapple/watchos11.5

🔴Vulnerability Details

GHSA

GHSA-9hcv-xw76-m4h6: A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents↗2025-03-14

▶

OSV

CVE-2024-8176: A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents↗2025-03-14

▶

📋Vendor Advisories

CISA ICS

Hitachi Energy RTU500 Product↗2026-03-03

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Core (LibExpat) — CVE-2024-8176↗2025-07-15

▶

Apple

CVE-2025-31222: visionOS 2.5↗2025-05-12

▶

Apple

CVE-2025-31222: tvOS 18.5↗2025-05-12

▶

Apple

CVE-2024-8176: macOS Sequoia 15.5↗2025-05-12

▶