{"id":"CVE-2023-52426","details":"libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.","modified":"2026-03-12T02:16:37.135842565Z","published":"2024-02-04T20:15:46.120Z","related":["SUSE-SU-2025:20207-1","SUSE-SU-2025:20311-1","openSUSE-SU-2024:13695-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/"},{"type":"ADVISORY","url":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404"},{"type":"ADVISORY","url":"https://github.com/libexpat/libexpat/pull/777"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20240307-0005/"},{"type":"FIX","url":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404"},{"type":"ARTICLE","url":"https://cwe.mitre.org/data/definitions/776.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libexpat/libexpat","events":[{"introduced":"0"},{"fixed":"0f075ec8ecb5e43f8fdca5182f8cca4703da0404"}]}],"versions":["REC1_0","R_1_95_0","R_1_95_2","R_1_95_3","R_1_95_4","R_1_95_5","R_1_95_6","R_1_95_7","R_1_95_8","R_2_0_0","R_2_0_1","R_2_1_0","R_2_1_1","R_2_2_0","R_2_2_1","R_2_2_10","R_2_2_2","R_2_2_3","R_2_2_4","R_2_2_5","R_2_2_6","R_2_2_7","R_2_2_8","R_2_2_9","R_2_3_0","R_2_4_0","R_2_4_1","R_2_4_2","R_2_4_3","R_2_4_4","R_2_4_5","R_2_4_6","R_2_4_7","R_2_4_8","R_2_4_9","R_2_5_0","V1990307","V19981122","V19981231","V19990109","V19990425","V19990626","V19990709","V19990728","V19991013","V1_0","V1_1","V20000512","beta2","beta3","beta4","jclark-orig","libexpat-alpha-1","sourceforge_init","start"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52426.json","vanir_signatures":[{"signature_version":"v1","source":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404","digest":{"function_hash":"21966163000585031404932848159552191475","length":3823},"target":{"function":"appendAttributeValue","file":"expat/lib/xmlparse.c"},"signature_type":"Function","id":"CVE-2023-52426-07a56893","deprecated":false},{"signature_version":"v1","source":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404","digest":{"threshold":0.9,"line_hashes":["99170557276827328915359870967174810496","136066061864242532683744951583020889207","134606419353113292048592079239075672829","236118028373682275540784275705656048129","44278453969947468552646259917277427384","104589846590859150023905579863205474011","153490090288632883454409844191213079938","112945941316001198084342545926122402643","77284758925616972044537129805180903744","150048432160285165557519879328641856881","190245947072112426416021585838994201692","104589846590859150023905579863205474011","249332184506560023727685091106500490755","295772562926034050803350554916854023190","214258367365239007026450089327161462422","108597736437782983765730004115346272066","261918219823180450547592852914521123819","266837607272318866114748356118365684786","214550537703738826980496686127756429871","272578927542326114766698865696611651767","91475294762464158698010855597285041466","196823543823044432516831074579393685929"]},"target":{"file":"expat/xmlwf/xmlwf.c"},"signature_type":"Line","id":"CVE-2023-52426-0edef637","deprecated":false},{"signature_version":"v1","source":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404","digest":{"function_hash":"132562740846339807628217901171322105292","length":1016},"target":{"function":"externalEntityInitProcessor2","file":"expat/lib/xmlparse.c"},"signature_type":"Function","id":"CVE-2023-52426-2a6c93b8","deprecated":false},{"signature_version":"v1","source":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404","id":"CVE-2023-52426-41cd4ffc","target":{"function":"doCdataSection","file":"expat/lib/xmlparse.c"},"signature_type":"Function","digest":{"function_hash":"50371684883304735445359904865404696495","length":2912},"deprecated":false},{"signature_version":"v1","source":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404","id":"CVE-2023-52426-4de2d6b2","target":{"function":"tmain","file":"expat/xmlwf/xmlwf.c"},"signature_type":"Function","digest":{"function_hash":"109939025514700382941458758518269281345","length":7140},"deprecated":false},{"signature_version":"v1","source":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404","digest":{"function_hash":"134248216409912112811267870647432738034","length":1425},"target":{"function":"XML_GetFeatureList","file":"expat/lib/xmlparse.c"},"signature_type":"Function","id":"CVE-2023-52426-5ae86902","deprecated":false},{"signature_version":"v1","source":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404","digest":{"function_hash":"282899842159912198801588995787703417584","length":1831},"target":{"function":"epilogProcessor","file":"expat/lib/xmlparse.c"},"signature_type":"Function","id":"CVE-2023-52426-5c62814c","deprecated":false},{"signature_version":"v1","source":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404","digest":{"threshold":0.9,"line_hashes":["71470374413210588405323986431112842828","337261555162191464860294667388774008685","90953095833824153590009788373452013370","175195391156327468298071371566074894129","76178541907845056912501183026084487774","221092645912663499771250235038706703492","113545008849319699889349419472208631909","98870925420417191591203134792101301995","133035178292319448542162690129691702632","211770681343881259420375171302889044224","108745352929457887336682872942504980595","242827216036656684640872613508940326587","93732945298061120895004024804961600127","3471409761095238342208182322033851547","159514480215970528543907738294460736774","115685320627613433569085127717524674050","61158784747551808404566372858676583583","117241986879424566691766463754560905269","323674543514489456567002776184199430320","324998795399128069914348692129914696155","21335650373902663991721063679088807716","233503972970214895405248035163813231265","335443464780141440412191413786238732121","159779937905260529171019305828358958942","57256754346090338307840987587692477332","228499349125954499268478914590458720715","317168818769979825624043768258281534527","265225051301411033449427186292250953277","119575798615460410118395468421552152866","126060255622488245268709610241247177287","284701892848792187260781684871252422326","14161146363970034022545023784357790875","99486388555778093763249850927954151509","127802229017105644860536088488303087436","179204255350529238786975520336471761485","175672709753091155851177848675339086851","162961126005280385056710015889612347674","232028154735277607165481756653484489915","322457299150233962468208513022911516679","294407076791430514239428215683212887716","166002024288968766788798010948061178619","103018685048674873090477231638819114804","2302111037287434728852978454010218606","104206560896081305606054513829941894695","98878451520024838410341254418941447489","326477695875920677849897323439928667495","305158175563818199076586195314385627035","226096967595985210070130767028688713447","31317323190565944990166389543900684302","144133579135571011206597003348943905307","129399981165231711358820923717600720536","61878344685881244619876525364427816443","207692712754966414774112772154147277068","10238116192606974126143543924599327067","94123859369786126475893696766326832081","56331959760599407760063874204716790752","90176241890549262661640503882503594016","21292563945727791699253567697790478155","98193614674505577597638347618659735390","208667214443592899205047573438057360395","301385951691828881619162363643348469499","180691338273631567336054571120084762164","263255664921410625923341113985402586598","88359034494937012169745783738819516642","208924561298611273227412473050421102413","336912426789446284871160287367601859306","191060537614830460252800665782174539468","47546216522709058431166381468339811273","37782226598410609999322293432809836543","283237294328805626406441510625886559735","95879444117711867341045345440253095982","82006720794344664130942445801685008865","331658681698370591961974461880813743983","336912426789446284871160287367601859306","334124948763274882690755682912468066455","84908592487474151507069383424897308589","280536224345506024758694447605989134584","66922090964008686473409403068397833137","316210131061258616982164409735752605056","295394163847125417202226501611134511556","12950873223598158010025519323430021980","255963171832262274747489386111978969483","55853291833024032974787872991353733073","30150133598152738910492269979764114047","263711151413668092123530851036395973293","10989517053017465257608803484471618489","207444796441782881049362141083953330836","236618585548359545535953452940012206350","282590948519116082527888064830270109590","269824899401164434690585234687330920155","142895070342382765062277800581174043859","49696943650598843027077395268272015783","190918191132295502043760388950323630823","153047925165985383542369773632216500423","106911162135484423834547787595148161857","184176876535888842883326215750472412372","162420003695981970933081212565655791931","119727776920727109620811649952094559036","274531878762653862040978495239726369484","125362517545233914572884304232569768675","6937938252354647205217597162489314278","279406784023095523980197485836557814768","225249050265902479286020998410884839729","145687299947099659631371114291057535029","175186720645079118924080722953904932089","132783597513205059304008775908132967776","207692712754966414774112772154147277068","10238116192606974126143543924599327067","94123859369786126475893696766326832081","126596284963552908281879182267889296837","61288260371558299991482072612057164332","145676420602119428764402936896891550610","209507981101104714388175158184027470543","86368509502637621836284260318152471398","282590948519116082527888064830270109590","312527769057514186658143150699533160277","12660608443303867625630499952750117217","134745722671749816839802761627795140169","323515640490943074806855938133780414802","293571956050000104555413097110290948246","3692363625333745794249651615565359496","234252127058578059667749384041252978240","125362517545233914572884304232569768675","326287392283338404901546536107878366557","116280059104785101574687855584398506882","255114241589935637583713086478653424485","60466400186969965512486411280662757066","275413527466240942749343557114054124163","323554653962258761621752706009928669399","241842506098042367310965479606089707712","6174603590383472394931013997306663213","64573329259082959859314497699107763700","168499664711524123292638033371058505569","103432382028960920778420848302667583850","96787218619602428033218364235868879967"]},"target":{"file":"expat/lib/xmlparse.c"},"signature_type":"Line","id":"CVE-2023-52426-67d30ec3","deprecated":false},{"signature_version":"v1","source":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404","digest":{"function_hash":"159255620538921627367732027319109476102","length":1769},"target":{"function":"processInternalEntity","file":"expat/lib/xmlparse.c"},"signature_type":"Function","id":"CVE-2023-52426-77b9627d","deprecated":false},{"signature_version":"v1","source":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404","digest":{"threshold":0.9,"line_hashes":["150456016791797429903212649384096341610","253473976081072359424296733550593311895","61353209645823738982669675580078580358","268433607375412296606602598167059935488","210623140644525091877893797238405137695","41838725246221933037827158626614924246","177937653506235826962414665870806473005"]},"target":{"file":"expat/lib/expat.h"},"signature_type":"Line","id":"CVE-2023-52426-8eaf1fd9","deprecated":false},{"signature_version":"v1","source":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404","digest":{"function_hash":"163909581757202033941923154444626906707","length":28790},"target":{"function":"doProlog","file":"expat/lib/xmlparse.c"},"signature_type":"Function","id":"CVE-2023-52426-930f9228","deprecated":false},{"signature_version":"v1","source":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404","digest":{"function_hash":"182246409033957346525094809584405957015","length":1426},"target":{"function":"doIgnoreSection","file":"expat/lib/xmlparse.c"},"signature_type":"Function","id":"CVE-2023-52426-94101eab","deprecated":false},{"signature_version":"v1","source":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404","digest":{"function_hash":"174327787156966667290717172171364281526","length":2325},"target":{"function":"processXmlDecl","file":"expat/lib/xmlparse.c"},"signature_type":"Function","id":"CVE-2023-52426-9e641761","deprecated":false},{"signature_version":"v1","source":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404","digest":{"function_hash":"2576277895491768345022417926785804741","length":3278},"target":{"function":"parserInit","file":"expat/lib/xmlparse.c"},"signature_type":"Function","id":"CVE-2023-52426-ba07a9f1","deprecated":false},{"signature_version":"v1","source":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404","digest":{"function_hash":"3133245618331857616305689339381325920","length":1444},"target":{"function":"entityValueInitProcessor","file":"expat/lib/xmlparse.c"},"signature_type":"Function","id":"CVE-2023-52426-c9ddf77b","deprecated":false},{"signature_version":"v1","source":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404","id":"CVE-2023-52426-d1e91dcb","target":{"file":"expat/lib/internal.h"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["87009556943387016105424136463568289485","293808254575373989417206695675551424514","64935393798895274116637563817998587663","140770519928116757280849590997307451550"]},"deprecated":false},{"signature_version":"v1","source":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404","digest":{"function_hash":"262330051084319543839054590361516848344","length":4061},"target":{"function":"storeEntityValue","file":"expat/lib/xmlparse.c"},"signature_type":"Function","id":"CVE-2023-52426-d8cbaa07","deprecated":false},{"signature_version":"v1","source":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404","digest":{"function_hash":"95463951740735094791439300279084957718","length":2115},"target":{"function":"internalEntityProcessor","file":"expat/lib/xmlparse.c"},"signature_type":"Function","id":"CVE-2023-52426-de4f75fb","deprecated":false},{"signature_version":"v1","source":"https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404","digest":{"function_hash":"254915876699853307597646663337837718187","length":12569},"target":{"function":"doContent","file":"expat/lib/xmlparse.c"},"signature_type":"Function","id":"CVE-2023-52426-f9b4cf80","deprecated":false}]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}