CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-8176

High Severity
SVRS
68/100
CVSSv3
7.5/10
EPSS
0.00346/1

CVE-2024-8176: A stack overflow vulnerability in libexpat allows for denial of service. Recursive entity expansion in XML documents can exhaust stack space, leading to a crash. While the CVSS score is 7.5, the SOCRadar Vulnerability Risk Score (SVRS) is 68, indicating a moderate risk. This vulnerability arises from improper handling of deeply nested entity references, potentially causing memory corruption. Successful exploitation can result in application crashes and service disruption. Organizations using libexpat should apply patches to mitigate the denial-of-service risk. This CVE is significant due to the widespread use of libexpat in various applications.

TAGS
X_refsource_REDHAT
Issue-tracking
In The Wild
Vendor-advisory
VECTOR STRING
CVSS:3.1
AV:N
AC:L
PR:N
UI:N
S:U
C:N
I:N
A:H
PUBLICATION DATE2025-04-15
LAST MODIFIED2025-03-14
Eye Icon
SOCRadar
AI Insight

Description

CVE-2024-8176 is a stack overflow vulnerability within the libexpat library. It stems from the library's handling of recursive entity expansion when parsing XML documents. Deeply nested entity references can cause libexpat to recurse indefinitely, leading to stack exhaustion and a crash, potentially resulting in a denial-of-service (DoS). While its CVSS score is 7.5, the SOCRadar Vulnerability Risk Score (SVRS) of 73 suggests a significant risk level, nearing criticality. The presence of the "In The Wild" tag indicates that the vulnerability is actively exploited by hackers.

Key Insights

  1. Recursive Entity Expansion: The root cause lies in the unchecked recursive nature of entity expansion within XML parsing performed by libexpat. Malicious actors can craft XML documents specifically designed to trigger this recursion.
  2. Denial-of-Service Potential: The immediate and most likely impact is a denial-of-service (DoS) condition. By exhausting the stack, the application using libexpat becomes unavailable, impacting system uptime and service delivery.
  3. Memory Corruption Risk: While less certain, the description indicates potential for exploitable memory corruption in some scenarios. This could enable attackers to gain control over the affected system, depending on how libexpat is used and the system's architecture.
  4. Active Exploitation: The tag "In The Wild" demonstrates the vulnerability is actively exploited by hackers.

Mitigation Strategies

  1. Update libexpat: Immediately update libexpat to the latest patched version. This is the primary and most effective mitigation, as patches address the vulnerable code.
  2. Restrict XML Processing: Where feasible, limit or restrict the processing of XML documents from untrusted sources. Implement size limits on XML documents and disable or limit entity expansion.
  3. Runtime Monitoring: Implement runtime monitoring to detect excessive stack usage by processes using libexpat. This can help identify and mitigate ongoing attacks before they fully exhaust system resources.
  4. Web Application Firewall (WAF) Rules: Implement rules in Web Application Firewalls (WAFs) to detect and block malicious XML payloads designed to exploit this vulnerability.

Additional Information

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

Re: expat vulnerability CVE-2024-8176 / impact of recursion stack overflow vulnerabilities
2025-03-15
Re: expat vulnerability CVE-2024-8176 / impact of recursion stack overflow vulnerabilities | Posted by Qualys Security Advisory on Mar 15Hi Hanno, all, We have not looked into this specific expat vulnerability yet, and we have not tried to exploit a stack-clash vulnerability in a long time, but maybe what follows will be useful anyway. The TL;DR is probably: stack-clash vulnerabilities are not exploitable for arbitrary code execution anymore, because
seclists.org
rss
forum
news
[CVE-2024-8176] Long linear chains of entities crash Expat with stack overflow due to use of unlimited recursion
2025-03-14
[CVE-2024-8176] Long linear chains of entities crash Expat with stack overflow due to use of unlimited recursion | Posted by Alan Coopersmith on Mar 14[...] Expat 2.7.0 has now been released with a fix for that issue, and the issue has been disclosed in: https://blog.hartwork.org/posts/expat-2-7-0-released/ https://github.com/libexpat/libexpat/issues/893 https://github.com
seclists.org
rss
forum
news
expat vulnerability CVE-2024-8176 / impact of recursion stack overflow vulnerabilities
2025-03-14
expat vulnerability CVE-2024-8176 / impact of recursion stack overflow vulnerabilities | Posted by Hanno Böck on Mar 14Hello, A vulnerability (CVE-2024-8176) has been fixed in expat, a widely used xml parser library: https://blog.hartwork.org/posts/expat-2-7-0-released/ Info about the vuln has been posted here already. expat 2.7.0 fixes multiple variations of stack overflows due to recursion and can be triggered by using a large
seclists.org
rss
forum
news
Tageszusammenfassung - 14.03.2025
CERT.at2025-03-14
Tageszusammenfassung - 14.03.2025 | End-of-Day report Timeframe: Donnerstag 13-03-2025 18:00 - Freitag 14-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a News New SuperBlack ransomware exploits Fortinet auth bypass flaws A new ransomware operator named Mora_001 is exploiting two Fortinet vulnerabilities to gain unauthorized access to firewall appliances and deploy a custom ransomware strain dubbed SuperBlack. https://www.bleepingcomputer.com/news/security/new-superblack-ransomware-exploits-fortinet-auth-bypass-flaws/ <h3
cert.at
rss
forum
news
Recursion kills: The story behind CVE-2024-8176 in libexpat
2025-03-14
Recursion kills: The story behind CVE-2024-8176 in libexpat
ycombinator.com
rss
forum
news
CVE-2024-8176 | libexpat stack-based overflow
vuldb.com2025-03-13
CVE-2024-8176 | libexpat stack-based overflow | A vulnerability was found in libexpat and classified as critical. This issue affects some unknown processing. The manipulation leads to stack-based buffer overflow. The identification of this vulnerability is CVE-2024-8176. The attack can only be initiated within the local network. There is no exploit available.
vuldb.com
rss
forum
news

Social Media

CVE-2024-8176 (CVSS:7.5, HIGH) is Awaiting Analysis. A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XM..https://t.co/HINLIguGUN #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre
0
0
0
Impact of recursion stack overflow vulnerabilities (in context of expat CVE-2024-8176) https://t.co/XnGWnIxxTa Likely "only" a crash/denial of service type of bug if -fstack-clash-protection is used
0
0
0
CVE-2024-8176: Expat: Long linear chains of entities crash Expat with stack overflow due to use of unlimited recursion https://t.co/2L34Kw8IeK Expat 2.7.0 released with a fix
0
0
1
Recursion kills: The story behind CVE-2024-8176 / Expat 2.7.0 released, includes security fixes https://t.co/rrnnRqa3cu
0
0
0
CVE-2024-8176 A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with d… https://t.co/d4rcabLqkx
0
0
1
Recursion kills: The story behind CVE-2024-8176 / Expat 2.7.0 released, includes security fixes https://t.co/9ZqdztslqX
0
0
0
Recursion kills: The story behind CVE-2024-8176 in libexpat https://t.co/ZzFhnnbHP3 (https://t.co/WqlESQMS9m)
0
0
0
Recursion kills: The story behind CVE-2024-8176 in libexpat via /r/hackernews https://t.co/gYkaGLMLkK
0
0
0
Recursion kills: The story behind CVE-2024-8176 / Expat 2.7.0 released, includes security fixes https://t.co/HHLRWZlHe6 https://t.co/aLwrjpT3yv
0
0
1
Recursion kills: The story behind CVE-2024-8176 in libexpat https://t.co/O31ytUqPsy (https://t.co/bd5q4w3pvz)
0
0
0

Affected Software

No affected software found for this CVE

References

ReferenceLink
AF854A3A-2127-422B-91AE-364DA2661108http://www.openwall.com/lists/oss-security/2025/03/15/1
AF854A3A-2127-422B-91AE-364DA2661108https://blog.hartwork.org/posts/expat-2-7-0-released/
AF854A3A-2127-422B-91AE-364DA2661108https://bugzilla.suse.com/show_bug.cgi?id=1239618
AF854A3A-2127-422B-91AE-364DA2661108https://github.com/libexpat/libexpat/blob/R_2_7_0/expat/Changes#L40-L52
AF854A3A-2127-422B-91AE-364DA2661108https://gitlab.alpinelinux.org/alpine/aports/-/commit/d068c3ff36fc6f4789988a09c69b434db757db53
AF854A3A-2127-422B-91AE-364DA2661108https://security-tracker.debian.org/tracker/CVE-2024-8176
AF854A3A-2127-422B-91AE-364DA2661108https://security.netapp.com/advisory/ntap-20250328-0009/
AF854A3A-2127-422B-91AE-364DA2661108https://ubuntu.com/security/CVE-2024-8176
[email protected]https://access.redhat.com/security/cve/CVE-2024-8176
[email protected]https://bugzilla.redhat.com/show_bug.cgi?id=2310137
[email protected]https://github.com/libexpat/libexpat/issues/893
RHBZ#2310137https://bugzilla.redhat.com/show_bug.cgi?id=2310137
[email protected]https://access.redhat.com/security/cve/CVE-2024-8176
[email protected]https://bugzilla.redhat.com/show_bug.cgi?id=2310137
[email protected]https://github.com/libexpat/libexpat/issues/893
RHBZ#2310137https://bugzilla.redhat.com/show_bug.cgi?id=2310137
RHSA-2025:3531https://access.redhat.com/errata/RHSA-2025:3531
RHBZ#2310137https://bugzilla.redhat.com/show_bug.cgi?id=2310137
RHSA-2025:3531https://access.redhat.com/errata/RHSA-2025:3531
RHSA-2025:3734https://access.redhat.com/errata/RHSA-2025:3734
RHBZ#2310137https://bugzilla.redhat.com/show_bug.cgi?id=2310137
RHSA-2025:3531https://access.redhat.com/errata/RHSA-2025:3531
RHSA-2025:3734https://access.redhat.com/errata/RHSA-2025:3734
RHSA-2025:3913https://access.redhat.com/errata/RHSA-2025:3913

CWE Details

CWE IDCWE NameDescription
CWE-674Uncontrolled RecursionThe product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence