LiveActive security incident?Get immediate response
CVE Record

CVE-2024-8176: Libexpat: expat: improper restriction of xml entity expansion depth in libexpat

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.

HighCVSS 7.5Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2024-8176 is a denial-of-service risk in libexpat, a common XML parsing library. Maliciously crafted XML with deeply nested entity references can exhaust stack memory and crash a process. The main business impact is service outage where exposed applications parse untrusted XML.

Executive priority

Treat as high priority for internet-facing or partner-facing XML processing services because a remote unauthenticated crash can interrupt availability. Prioritize externally reachable systems first, then internal systems with automated XML ingestion.

Technical view

The issue is improper restriction of recursive XML entity expansion depth in libexpat, mapped to CWE-674. The supplied CVSS 3.1 score is 7.5, network-reachable, low complexity, no privileges or user interaction, with high availability impact and no stated confidentiality or integrity impact.

Likely exposure

Exposure is most likely in services, middleware, or tools that parse XML using libexpat or Red Hat expat/xmlrpc-c packages. The bundle specifically lists affected Red Hat Enterprise Linux 8 and 10 package builds, including extended support variants.

Exploitation context

The bundle does not show CISA KEV listing or cited evidence of active exploitation. Exploitation requires an application path that feeds attacker-controlled XML into affected libexpat parsing. Impact is primarily crash-based denial of service; memory corruption is noted as environment-dependent.

Researcher notes

Evidence is strongest for Red Hat-packaged expat and xmlrpc-c. The bundle provides affected package builds and advisory URLs but not detailed fixed versions or exploit telemetry. Do not infer active exploitation from severity alone.

Mitigation direction

  • Apply relevant Red Hat errata updates for affected expat and xmlrpc-c packages.
  • Check vendor guidance for non-Red Hat libexpat consumers before assuming fixed versions.
  • Inventory applications and containers that parse untrusted XML with libexpat.
  • Reduce or block untrusted XML ingestion where vendor remediation is not yet available.

Validation and detection

  • Compare installed expat and xmlrpc-c package versions against the affected builds in the bundle.
  • Confirm applicable Red Hat advisories are installed for each RHEL stream and support channel.
  • Identify public or partner-facing XML upload, API, or integration paths using libexpat.
  • Use vulnerability management results to confirm CVE-2024-8176 is no longer reported after updates.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-674: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Container behavior lookup

The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2024-8176 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.5 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
5Timeline events
2ADP providers
32Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: yesTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.5CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H3.93.6redhat

Vulnerability scoring details

Base CVSS 3.1 score

7.5High
CVSS 3.1 vector shape for CVE-2024-8176Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. Source timelineredhat

    Reported to Red Hat.

  2. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  3. Source timelineredhat

    Made public.

  4. CVE publishedCVE Program

    The CVE record was published.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Unknown vendorlibexpatlibexpat, 0unaffected
Red HatRed Hat Enterprise Linux 10expat, 0:2.7.1-1.el10_0affected
Red HatRed Hat Enterprise Linux 8expat, 0:2.2.5-17.el8_10affected
Red HatRed Hat Enterprise Linux 8xmlrpc-c, 0:1.51.0-11.el8_10affected
Red HatRed Hat Enterprise Linux 8.2 Advanced Update Supportexpat, 0:2.2.10-1.el8_2affected
Red HatRed Hat Enterprise Linux 8.2 Advanced Update Supportxmlrpc-c, 0:1.51.0-5.el8_2.2affected
Red HatRed Hat Enterprise Linux 8.4 Advanced Mission Critical Update Supportexpat, 0:2.2.10-1.el8_4affected
Red HatRed Hat Enterprise Linux 8.4 Advanced Mission Critical Update Supportxmlrpc-c, 0:1.51.0-5.el8_4.2affected
Red HatRed Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-Onexpat, 0:2.2.10-1.el8_4affected
Red HatRed Hat Enterprise Linux 8.4 Telecommunications Update Servicexmlrpc-c, 0:1.51.0-5.el8_4.2affected
Red HatRed Hat Enterprise Linux 8.4 Update Services for SAP Solutionsxmlrpc-c, 0:1.51.0-5.el8_4.2affected
Red HatRed Hat Enterprise Linux 8.6 Advanced Mission Critical Update Supportexpat, 0:2.2.10-1.el8_6affected
Red HatRed Hat Enterprise Linux 8.6 Advanced Mission Critical Update Supportxmlrpc-c, 0:1.51.0-6.el8_6.1affected
Red HatRed Hat Enterprise Linux 8.6 Telecommunications Update Serviceexpat, 0:2.2.10-1.el8_6affected
Red HatRed Hat Enterprise Linux 8.6 Telecommunications Update Servicexmlrpc-c, 0:1.51.0-6.el8_6.1affected
Red HatRed Hat Enterprise Linux 8.6 Update Services for SAP Solutionsexpat, 0:2.2.10-1.el8_6affected
Red HatRed Hat Enterprise Linux 8.6 Update Services for SAP Solutionsxmlrpc-c, 0:1.51.0-6.el8_6.1affected
Red HatRed Hat Enterprise Linux 8.8 Extended Update Supportxmlrpc-c, 0:1.51.0-8.el8_8.1affected
Red HatRed Hat Enterprise Linux 8.8 Telecommunications Update Serviceexpat, 0:2.2.10-1.el8_8affected
Red HatRed Hat Enterprise Linux 8.8 Update Services for SAP Solutionsexpat, 0:2.2.10-1.el8_8affected
Red HatRed Hat Enterprise Linux 9expat, 0:2.5.0-3.el9_5.3affected
Red HatRed Hat Enterprise Linux 9expat, 0:2.5.0-5.el9_6affected
Red HatRed Hat Enterprise Linux 9expat, 0:2.5.0-3.el9_5.3affected
Red HatRed Hat Enterprise Linux 9expat, 0:2.5.0-5.el9_6affected
Red HatRed Hat Enterprise Linux 9.0 Update Services for SAP Solutionsexpat, 0:2.2.10-12.el9_0.4affected
Red HatRed Hat Enterprise Linux 9.2 Update Services for SAP Solutionsexpat, 0:2.5.0-1.el9_2.3affected
Red HatRed Hat Enterprise Linux 9.4 Extended Update Supportexpat, 0:2.5.0-2.el9_4.3affected
Red HatRed Hat JBoss Core Services 2.4.62.SP1expatunaffected
Red HatDevWorkspace Operator 0.33devworkspace/devworkspace-project-clone-rhel9, 0.33-1744075017affected
Red HatRed Hat Discovery 1.14discovery/discovery-server-rhel9, 1.14.3-1748529279affected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-674 · source CWE mapping

Uncontrolled Recursion

Uncontrolled Recursion represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.