Expat 2.8.1 released, includes security fixes

May 12, 2026

Submitted by Sebastian Pipping.

free software releases c parsing expat parsers software libre open source security libexpat

For readers new to Expat:

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, specifically C99. It is cross-platform and licensed under the MIT license.

Expat 2.8.1 was released yesterday. The key motivation for cutting a release and doing so now was:

Fixing vulnerability CVE-2026-45186 that allows easy denial of service.

The vulnerability was reported to me responsibly about eight months ago by Nick Wellnhofer, the long-time and past maintainer of libxml2. The attack relies on Expat <2.8.1 using an O(n²) runtime algorithm — a for loop — to check for collisions among attribute names. Berkay Eren Ürün and I teamed up for a fix. It uses a hash table instead of a linear loop to detect collisions, which turns overall runtime from O(n*n) into O(n).

Thanks to everyone who contributed to this release of Expat!

For more details about this release, please check out the change log.

If you maintain Expat packaging, a bundled copy of Expat, or a pinned version of Expat, please update to version 2.8.1. Thank you!

Sebastian Pipping

PS: There is a longer, more detailed version of this article at blog.hartwork.org.