CVE-2024-8176
Advisory lineage Upstream: 0 Downstream: 29
Deferred
Published: 14 Mar 2025, 08:19
Last modified:22 Apr 2026, 15:55
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
0.8% LOW
1% probability +0.39%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
14 Mar 2025, 08:19
Published
Vulnerability first disclosed
22 Apr 2026, 15:55
Last Modified
Vulnerability information updated
Description
A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Trends
Current EPSS score: 0.80%• Percentile: 74%
Techniques & Countermeasures
- CWE-674•Uncontrolled Recursion
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
References (39)
- https://access.redhat.com/errata/RHSA-2025:13681
- https://access.redhat.com/errata/RHSA-2025:22033
- https://access.redhat.com/errata/RHSA-2025:22034
- https://access.redhat.com/errata/RHSA-2025:22035
- https://access.redhat.com/errata/RHSA-2025:22607
- https://access.redhat.com/errata/RHSA-2025:22785
- https://access.redhat.com/errata/RHSA-2025:22842
- https://access.redhat.com/errata/RHSA-2025:22871
- https://access.redhat.com/errata/RHSA-2025:3531
- https://access.redhat.com/errata/RHSA-2025:3734
- https://access.redhat.com/errata/RHSA-2025:3913
- https://access.redhat.com/errata/RHSA-2025:4048
- https://access.redhat.com/errata/RHSA-2025:4446
- https://access.redhat.com/errata/RHSA-2025:4447
- https://access.redhat.com/errata/RHSA-2025:4448
- https://access.redhat.com/errata/RHSA-2025:4449
- https://access.redhat.com/errata/RHSA-2025:7444
- https://access.redhat.com/errata/RHSA-2025:7512
- https://access.redhat.com/errata/RHSA-2025:8385
- https://access.redhat.com/security/cve/CVE-2024-8176
- https://bugzilla.redhat.com/show_bug.cgi?id=2310137
- https://github.com/libexpat/libexpat/issues/893
- http://www.openwall.com/lists/oss-security/2025/03/15/1
- https://blog.hartwork.org/posts/expat-2-7-0-released/
- https://github.com/libexpat/libexpat/blob/R_2_7_0/expat/Changes#L40-L52
- https://bugzilla.suse.com/show_bug.cgi?id=1239618
- https://ubuntu.com/security/CVE-2024-8176
- https://security-tracker.debian.org/tracker/CVE-2024-8176
- https://gitlab.alpinelinux.org/alpine/aports/-/commit/d068c3ff36fc6f4789988a09c69b434db757db53
- https://security.netapp.com/advisory/ntap-20250328-0009/
- https://www.kb.cert.org/vuls/id/760160
- http://seclists.org/fulldisclosure/2025/May/12
- http://seclists.org/fulldisclosure/2025/May/11
- http://seclists.org/fulldisclosure/2025/May/10
- http://seclists.org/fulldisclosure/2025/May/8
- http://seclists.org/fulldisclosure/2025/May/7
- http://seclists.org/fulldisclosure/2025/May/6
- http://www.openwall.com/lists/oss-security/2025/09/24/11
- https://github.com/libexpat/libexpat/pull/973