CVE-2024-8176 HIGH

CVE-2024-8176: Libexpat: expat: improper restriction of xml entity expansion depth in libexpat

Vendor Red Hat
Product Red Hat JBoss Core Services 2.4.62.SP1
Weakness CWE-674
Published March 14, 2025
Last update June 29, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.

Key dates

02Disclosure timeline

March 14, 2025 CVE published
June 29, 2026 Record updated