new file mode 100644
@@ -0,0 +1,70 @@
+From 02fd51c3475c400cf4095228eb1ce4fa19639f5f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Berkay=20Eren=20=C3=9Cr=C3=BCn?= <berkay.ueruen@siemens.com>
+Date: Fri, 13 Mar 2026 13:26:45 +0100
+Subject: [PATCH 1/8] Make "counting_start_element_handler" count default attrs
+
+(cherry picked from commit 0802a5892030610144b736dec6e2f63e8600fe85)
+
+CVE: CVE-2026-45186
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1216/commits/0802a5892030610144b736dec6e2f63e8600fe85]
+Signed-off-by: Theo Gaige <tgaige.opensource@witekio.com>
+---
+ tests/basic_tests.c | 8 ++++----
+ tests/handlers.c | 2 +-
+ tests/handlers.h | 1 +
+ 3 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/tests/basic_tests.c b/tests/basic_tests.c
+index 023d9ce4..d6edb16b 100644
+--- a/tests/basic_tests.c
++++ b/tests/basic_tests.c
+@@ -2439,9 +2439,9 @@ START_TEST(test_attributes) {
+ {XCS("id"), XCS("one")},
+ {NULL, NULL}};
+ AttrInfo tag_info[] = {{XCS("c"), XCS("3")}, {NULL, NULL}};
+- ElementInfo info[] = {{XCS("doc"), 3, XCS("id"), NULL},
+- {XCS("tag"), 1, NULL, NULL},
+- {NULL, 0, NULL, NULL}};
++ ElementInfo info[] = {{XCS("doc"), 3, 0, XCS("id"), NULL},
++ {XCS("tag"), 1, 0, NULL, NULL},
++ {NULL, 0, 0, NULL, NULL}};
+ info[0].attributes = doc_info;
+ info[1].attributes = tag_info;
+
+@@ -5496,7 +5496,7 @@ START_TEST(test_deep_nested_attribute_entity) {
+ (long unsigned)(N_LINES - 1));
+
+ AttrInfo doc_info[] = {{XCS("name"), XCS("deepText")}, {NULL, NULL}};
+- ElementInfo info[] = {{XCS("foo"), 1, NULL, NULL}, {NULL, 0, NULL, NULL}};
++ ElementInfo info[] = {{XCS("foo"), 1, 0, NULL, NULL}, {NULL, 0, 0, NULL, NULL}};
+ info[0].attributes = doc_info;
+
+ XML_Parser parser = XML_ParserCreate(NULL);
+diff --git a/tests/handlers.c b/tests/handlers.c
+index e6582231..9ff7b354 100644
+--- a/tests/handlers.c
++++ b/tests/handlers.c
+@@ -137,7 +137,7 @@ counting_start_element_handler(void *userData, const XML_Char *name,
+ fail("ID does not have the correct name");
+ return;
+ }
+- for (i = 0; i < info->attr_count; i++) {
++ for (i = 0; i < info->attr_count + info->default_attr_count; i++) {
+ attr = info->attributes;
+ while (attr->name != NULL) {
+ if (! xcstrcmp(atts[0], attr->name))
+diff --git a/tests/handlers.h b/tests/handlers.h
+index ac4ca940..11d45ebd 100644
+--- a/tests/handlers.h
++++ b/tests/handlers.h
+@@ -88,6 +88,7 @@ typedef struct attrInfo {
+ typedef struct elementInfo {
+ const XML_Char *name;
+ int attr_count;
++ int default_attr_count;
+ const XML_Char *id_name;
+ AttrInfo *attributes;
+ } ElementInfo;
+--
+2.43.0
+
new file mode 100644
@@ -0,0 +1,318 @@
+From 943a9bccac7fa8d156807fb7f106335b4e02da36 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Berkay=20Eren=20=C3=9Cr=C3=BCn?= <berkay.ueruen@siemens.com>
+Date: Fri, 13 Mar 2026 13:27:31 +0100
+Subject: [PATCH 2/8] test(attlist): Cover duplicate attribute names
+
+Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
+(cherry picked from commit e569f47181c43dca5d262089e541ddf9a9c09927)
+
+CVE: CVE-2026-45186
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1216/commits/e569f47181c43dca5d262089e541ddf9a9c09927]
+Signed-off-by: Theo Gaige <tgaige.opensource@witekio.com>
+---
+ tests/basic_tests.c | 282 ++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 282 insertions(+)
+
+diff --git a/tests/basic_tests.c b/tests/basic_tests.c
+index d6edb16b..907a4580 100644
+--- a/tests/basic_tests.c
++++ b/tests/basic_tests.c
+@@ -2462,6 +2462,279 @@ START_TEST(test_attributes) {
+ }
+ END_TEST
+
++START_TEST(test_duplicate_cdata_attribute) {
++ /*
++ https://www.w3.org/TR/xml/#attdecls
++
++ Test the following statement from the linked specification:
++ When more than one definition is provided for the same attribute of a given
++ element type, the first declaration is binding and later declarations are
++ ignored.
++ */
++
++ const char *text
++ = "<!DOCTYPE doc [\n"
++ " <!ATTLIST doc attribute CDATA 'expected' attribute CDATA 'ignored'>\n"
++ "]>\n"
++ "<doc/>\n";
++ AttrInfo doc_info[] = {{XCS("attribute"), XCS("expected")}, {NULL, NULL}};
++ ElementInfo info[]
++ = {{XCS("doc"), 0, 1, NULL, doc_info}, {NULL, 0, 0, NULL, NULL}};
++
++ XML_Parser parser = XML_ParserCreate(NULL);
++ assert_true(parser != NULL);
++
++ ParserAndElementInfo parserAndElementInfos = {
++ parser,
++ info,
++ };
++
++ XML_SetStartElementHandler(parser, counting_start_element_handler);
++ XML_SetUserData(parser, &parserAndElementInfos);
++
++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
++ != XML_STATUS_OK)
++ xml_failure(parser);
++
++ XML_ParserFree(parser);
++}
++END_TEST
++
++START_TEST(test_duplicate_id_attribute_1) {
++ /*
++ https://www.w3.org/TR/xml/#attdecls
++
++ Test the following statement from the linked specification:
++ When more than one definition is provided for the same attribute of a given
++ element type, the first declaration is binding and later declarations are
++ ignored.
++ */
++
++ const char *text
++ = "<!DOCTYPE doc [\n"
++ " <!ATTLIST doc identifier CDATA 'expected' identifier ID #REQUIRED>\n"
++ "]>\n"
++ "<doc/>\n";
++ AttrInfo doc_info[] = {{XCS("identifier"), XCS("expected")}, {NULL, NULL}};
++ ElementInfo info[]
++ = {{XCS("doc"), 0, 1, NULL, doc_info}, {NULL, 0, 0, NULL, NULL}};
++
++ XML_Parser parser = XML_ParserCreate(NULL);
++ assert_true(parser != NULL);
++
++ ParserAndElementInfo parserAndElementInfos = {
++ parser,
++ info,
++ };
++
++ XML_SetStartElementHandler(parser, counting_start_element_handler);
++ XML_SetUserData(parser, &parserAndElementInfos);
++
++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
++ != XML_STATUS_OK)
++ xml_failure(parser);
++
++ XML_ParserFree(parser);
++}
++END_TEST
++
++START_TEST(test_duplicate_id_attribute_2) {
++ /*
++ https://www.w3.org/TR/xml/#attdecls
++
++ Test the following statement from the linked specification:
++ When more than one definition is provided for the same attribute of a given
++ element type, the first declaration is binding and later declarations are
++ ignored.
++ */
++
++ const char *text
++ = "<!DOCTYPE doc [\n"
++ " <!ATTLIST doc identifier ID #REQUIRED identifier CDATA 'unexpected'>\n"
++ "]>\n"
++ "<doc/>\n";
++ AttrInfo doc_info[] = {{NULL, NULL}};
++
++ ElementInfo info[]
++ = {{XCS("doc"), 0, 0, NULL, doc_info}, {NULL, 0, 0, NULL, NULL}};
++
++ XML_Parser parser = XML_ParserCreate(NULL);
++ assert_true(parser != NULL);
++
++ ParserAndElementInfo parserAndElementInfos = {
++ parser,
++ info,
++ };
++
++ XML_SetStartElementHandler(parser, counting_start_element_handler);
++ XML_SetUserData(parser, &parserAndElementInfos);
++
++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
++ != XML_STATUS_OK)
++ xml_failure(parser);
++
++ XML_ParserFree(parser);
++}
++END_TEST
++
++START_TEST(test_duplicate_cdata_attribute_multiple_attlistdecl) {
++ /*
++ https://www.w3.org/TR/xml/#attdecls
++
++ Test the following statement from the linked specification:
++ When more than one AttlistDecl is provided for a given element type,
++ the contents of all those provided are merged.
++ */
++ const char *text = "<!DOCTYPE doc [\n"
++ " <!ATTLIST doc attribute CDATA 'expected'>\n"
++ " <!ATTLIST doc attribute CDATA 'ignored'>\n"
++ "]>\n"
++ "<doc/>\n";
++ AttrInfo doc_info[] = {{XCS("attribute"), XCS("expected")}, {NULL, NULL}};
++ ElementInfo info[]
++ = {{XCS("doc"), 0, 1, NULL, doc_info}, {NULL, 0, 0, NULL, NULL}};
++
++ XML_Parser parser = XML_ParserCreate(NULL);
++ assert_true(parser != NULL);
++
++ ParserAndElementInfo parserAndElementInfos = {
++ parser,
++ info,
++ };
++
++ XML_SetStartElementHandler(parser, counting_start_element_handler);
++ XML_SetUserData(parser, &parserAndElementInfos);
++
++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
++ != XML_STATUS_OK)
++ xml_failure(parser);
++
++ XML_ParserFree(parser);
++}
++END_TEST
++
++START_TEST(test_duplicate_cdata_attribute_multiple_attlistdecl_2) {
++ /*
++ https://www.w3.org/TR/xml/#attdecls
++
++ Test the following statement from the linked specification:
++ When more than one AttlistDecl is provided for a given element type,
++ the contents of all those provided are merged.
++ */
++ const char *text = "<!DOCTYPE doc [\n"
++ " <!ATTLIST doc attribute CDATA 'expected_doc'>\n"
++ " <!ATTLIST tag attribute CDATA 'expected_tag'>\n"
++ " <!ATTLIST doc attribute CDATA 'ignored_doc'>\n"
++ "]>\n"
++ "<doc><tag></tag></doc>\n";
++ AttrInfo doc_info[] = {{XCS("attribute"), XCS("expected_doc")}, {NULL, NULL}};
++ AttrInfo tag_info[] = {{XCS("attribute"), XCS("expected_tag")}, {NULL, NULL}};
++ ElementInfo info[] = {{XCS("doc"), 0, 1, NULL, doc_info},
++ {XCS("tag"), 0, 1, NULL, tag_info},
++ {NULL, 0, 0, NULL, NULL}};
++
++ XML_Parser parser = XML_ParserCreate(NULL);
++ assert_true(parser != NULL);
++
++ ParserAndElementInfo parserAndElementInfos = {
++ parser,
++ info,
++ };
++
++ XML_SetStartElementHandler(parser, counting_start_element_handler);
++ XML_SetUserData(parser, &parserAndElementInfos);
++
++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
++ != XML_STATUS_OK)
++ xml_failure(parser);
++
++ XML_ParserFree(parser);
++}
++END_TEST
++
++START_TEST(test_duplicate_cdata_attribute_multiple_attlistdecl_3) {
++ /*
++ https://www.w3.org/TR/xml/#attdecls
++
++ Test the following statement from the linked specification:
++ When more than one AttlistDecl is provided for a given element type,
++ the contents of all those provided are merged.
++ */
++ const char *text
++ = "<!DOCTYPE doc [\n"
++ " <!ATTLIST doc attribute CDATA 'expected_doc'>\n"
++ " <!ATTLIST tag attribute CDATA 'expected_tag'>\n"
++ " <!ATTLIST doc second_attribute CDATA 'second_expected_doc' attribute CDATA 'ignored_doc'>\n"
++ "]>\n"
++ "<doc><tag></tag></doc>\n";
++ AttrInfo doc_info[] = {{XCS("attribute"), XCS("expected_doc")},
++ {XCS("second_attribute"), XCS("second_expected_doc")},
++ {NULL, NULL}};
++ AttrInfo tag_info[] = {{XCS("attribute"), XCS("expected_tag")}, {NULL, NULL}};
++ ElementInfo info[] = {{XCS("doc"), 0, 2, NULL, doc_info},
++ {XCS("tag"), 0, 1, NULL, tag_info},
++ {NULL, 0, 0, NULL, NULL}};
++
++ XML_Parser parser = XML_ParserCreate(NULL);
++ assert_true(parser != NULL);
++
++ ParserAndElementInfo parserAndElementInfos = {
++ parser,
++ info,
++ };
++
++ XML_SetStartElementHandler(parser, counting_start_element_handler);
++ XML_SetUserData(parser, &parserAndElementInfos);
++
++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
++ != XML_STATUS_OK)
++ xml_failure(parser);
++
++ XML_ParserFree(parser);
++}
++END_TEST
++
++START_TEST(test_duplicate_id_attribute_multiple_attlistdecl) {
++ /*
++ https://www.w3.org/TR/xml/#attdecls
++
++ Test the following statement from the linked specification:
++ When more than one AttlistDecl is provided for a given element type,
++ the contents of all those provided are merged.
++ */
++ const char *text = "<!DOCTYPE doc [\n"
++ " <!ATTLIST doc identifier ID #REQUIRED>\n"
++ " <!ATTLIST tag identifier CDATA 'identifier_tag'>\n"
++ " <!ATTLIST doc identifier CDATA 'ignored'>\n"
++ "]>\n"
++ "<doc identifier='doc_identity'><tag></tag></doc>\n";
++ AttrInfo doc_info[]
++ = {{XCS("identifier"), XCS("doc_identity")}, {NULL, NULL}};
++ AttrInfo tag_info[]
++ = {{XCS("identifier"), XCS("identifier_tag")}, {NULL, NULL}};
++ ElementInfo info[] = {{XCS("doc"), 1, 0, XCS("identifier"), doc_info},
++ {XCS("tag"), 0, 1, NULL, tag_info},
++ {NULL, 0, 0, NULL, NULL}};
++
++ XML_Parser parser = XML_ParserCreate(NULL);
++ assert_true(parser != NULL);
++
++ ParserAndElementInfo parserAndElementInfos = {
++ parser,
++ info,
++ };
++
++ XML_SetStartElementHandler(parser, counting_start_element_handler);
++ XML_SetUserData(parser, &parserAndElementInfos);
++
++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
++ != XML_STATUS_OK)
++ xml_failure(parser);
++
++ XML_ParserFree(parser);
++}
++END_TEST
++
+ /* Test reset works correctly in the middle of processing an internal
+ * entity. Exercises some obscure code in XML_ParserReset().
+ */
+@@ -6325,6 +6598,15 @@ make_basic_test_case(Suite *s) {
+ tcase_add_test__ifdef_xml_dtd(tc_basic, test_empty_foreign_dtd);
+ tcase_add_test(tc_basic, test_set_base);
+ tcase_add_test(tc_basic, test_attributes);
++ tcase_add_test(tc_basic, test_duplicate_cdata_attribute);
++ tcase_add_test(tc_basic, test_duplicate_id_attribute_1);
++ tcase_add_test(tc_basic, test_duplicate_id_attribute_2);
++ tcase_add_test(tc_basic, test_duplicate_cdata_attribute_multiple_attlistdecl);
++ tcase_add_test(tc_basic,
++ test_duplicate_cdata_attribute_multiple_attlistdecl_2);
++ tcase_add_test(tc_basic,
++ test_duplicate_cdata_attribute_multiple_attlistdecl_3);
++ tcase_add_test(tc_basic, test_duplicate_id_attribute_multiple_attlistdecl);
+ tcase_add_test__if_xml_ge(tc_basic, test_reset_in_entity);
+ tcase_add_test(tc_basic, test_resume_invalid_parse);
+ tcase_add_test(tc_basic, test_resume_resuspended);
+--
+2.43.0
+
new file mode 100644
@@ -0,0 +1,46 @@
+From 74e67b6a37d2e14b899a182bad37d8c49c539f29 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 20 Apr 2026 13:44:43 +0200
+Subject: [PATCH 3/8] tests: Define .attributes the first time around
+
+(cherry picked from commit 05307d352a5aa858cdda57ec53a53b597b3a4a82)
+
+CVE: CVE-2026-45186
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1216/commits/05307d352a5aa858cdda57ec53a53b597b3a4a82]
+Signed-off-by: Theo Gaige <tgaige.opensource@witekio.com>
+---
+ tests/basic_tests.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/tests/basic_tests.c b/tests/basic_tests.c
+index 907a4580..b0178fc7 100644
+--- a/tests/basic_tests.c
++++ b/tests/basic_tests.c
+@@ -2439,11 +2439,9 @@ START_TEST(test_attributes) {
+ {XCS("id"), XCS("one")},
+ {NULL, NULL}};
+ AttrInfo tag_info[] = {{XCS("c"), XCS("3")}, {NULL, NULL}};
+- ElementInfo info[] = {{XCS("doc"), 3, 0, XCS("id"), NULL},
+- {XCS("tag"), 1, 0, NULL, NULL},
++ ElementInfo info[] = {{XCS("doc"), 3, 0, XCS("id"), doc_info},
++ {XCS("tag"), 1, 0, NULL, tag_info},
+ {NULL, 0, 0, NULL, NULL}};
+- info[0].attributes = doc_info;
+- info[1].attributes = tag_info;
+
+ XML_Parser parser = XML_ParserCreate(NULL);
+ assert_true(parser != NULL);
+@@ -5769,8 +5767,8 @@ START_TEST(test_deep_nested_attribute_entity) {
+ (long unsigned)(N_LINES - 1));
+
+ AttrInfo doc_info[] = {{XCS("name"), XCS("deepText")}, {NULL, NULL}};
+- ElementInfo info[] = {{XCS("foo"), 1, 0, NULL, NULL}, {NULL, 0, 0, NULL, NULL}};
+- info[0].attributes = doc_info;
++ ElementInfo info[]
++ = {{XCS("foo"), 1, 0, NULL, doc_info}, {NULL, 0, 0, NULL, NULL}};
+
+ XML_Parser parser = XML_ParserCreate(NULL);
+ ParserAndElementInfo parserPlusElemenInfo = {parser, info};
+--
+2.43.0
+
new file mode 100644
@@ -0,0 +1,32 @@
+From fa671cc8f4900c709231732c40b0941d4ec36f53 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 13 Apr 2026 01:34:03 +0200
+Subject: [PATCH 4/8] tests: Make counting_start_element_handler enforce
+ complete attribute lists
+
+(cherry picked from commit 4176aff73840711060913e0ac6aa1168d8ba5c8d)
+
+CVE: CVE-2026-45186
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1216/commits/4176aff73840711060913e0ac6aa1168d8ba5c8d]
+Signed-off-by: Theo Gaige <tgaige.opensource@witekio.com>
+---
+ tests/handlers.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tests/handlers.c b/tests/handlers.c
+index 9ff7b354..5e72e8b6 100644
+--- a/tests/handlers.c
++++ b/tests/handlers.c
+@@ -155,6 +155,9 @@ counting_start_element_handler(void *userData, const XML_Char *name,
+ /* Remember, two entries in atts per attribute (see above) */
+ atts += 2;
+ }
++
++ // Self-test that the test case's list of expected attributes is complete
++ assert_true(atts[0] == NULL);
+ }
+
+ void XMLCALL
+--
+2.43.0
+
new file mode 100644
@@ -0,0 +1,32 @@
+From 3e060a687a3485938f98244f92ebc6f87d53a019 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 8 Mar 2026 22:14:41 +0100
+Subject: [PATCH 5/8] lib: Extract a constant for upcoming reuse
+
+(cherry picked from commit fb35f2d2040d114f355bae8a7450942533237530)
+
+CVE: CVE-2026-45186
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1216/commits/fb35f2d2040d114f355bae8a7450942533237530]
+Signed-off-by: Theo Gaige <tgaige.opensource@witekio.com>
+---
+ lib/xmlparse.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 9bc67f38..8d3e8db1 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7708,8 +7708,9 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
+ newE->prefix = (PREFIX *)lookup(oldParser, &(newDtd->prefixes),
+ oldE->prefix->name, 0);
+ for (i = 0; i < newE->nDefaultAtts; i++) {
++ const XML_Char *const attributeName = oldE->defaultAtts[i].id->name;
+ newE->defaultAtts[i].id = (ATTRIBUTE_ID *)lookup(
+- oldParser, &(newDtd->attributeIds), oldE->defaultAtts[i].id->name, 0);
++ oldParser, &(newDtd->attributeIds), attributeName, 0);
+ newE->defaultAtts[i].isCdata = oldE->defaultAtts[i].isCdata;
+ if (oldE->defaultAtts[i].value) {
+ newE->defaultAtts[i].value
+--
+2.43.0
+
new file mode 100644
@@ -0,0 +1,87 @@
+From cbf6df87b8525169533e0742fd587fdb0d9ec997 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 8 Mar 2026 23:05:49 +0100
+Subject: [PATCH 6/8] lib: Introduce ELEMENT_TYPE.defaultAttsNames
+
+(cherry picked from commit 7f0f1b9e70d937072d2e9e37ae9edf27784cc080)
+
+CVE: CVE-2026-45186
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1216/commits/7f0f1b9e70d937072d2e9e37ae9edf27784cc080]
+Signed-off-by: Theo Gaige <tgaige.opensource@witekio.com>
+---
+ lib/xmlparse.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 8d3e8db1..4a29c18f 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -388,6 +388,7 @@ typedef struct {
+ int nDefaultAtts;
+ int allocDefaultAtts;
+ DEFAULT_ATTRIBUTE *defaultAtts;
++ HASH_TABLE defaultAttsNames;
+ } ELEMENT_TYPE;
+
+ typedef struct {
+@@ -3844,6 +3845,8 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+ sizeof(ELEMENT_TYPE));
+ if (! elementType)
+ return XML_ERROR_NO_MEMORY;
++ if (! elementType->defaultAttsNames.parser)
++ hashTableInit(&(elementType->defaultAttsNames), parser);
+ if (parser->m_ns && ! setElementTypePrefix(parser, elementType))
+ return XML_ERROR_NO_MEMORY;
+ }
+@@ -7549,6 +7552,7 @@ dtdReset(DTD *p, XML_Parser parser) {
+ ELEMENT_TYPE *e = (ELEMENT_TYPE *)hashTableIterNext(&iter);
+ if (! e)
+ break;
++ hashTableDestroy(&(e->defaultAttsNames));
+ if (e->allocDefaultAtts != 0)
+ FREE(parser, e->defaultAtts);
+ }
+@@ -7590,6 +7594,7 @@ dtdDestroy(DTD *p, XML_Bool isDocEntity, XML_Parser parser) {
+ ELEMENT_TYPE *e = (ELEMENT_TYPE *)hashTableIterNext(&iter);
+ if (! e)
+ break;
++ hashTableDestroy(&(e->defaultAttsNames));
+ if (e->allocDefaultAtts != 0)
+ FREE(parser, e->defaultAtts);
+ }
+@@ -7683,6 +7688,10 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
+ sizeof(ELEMENT_TYPE));
+ if (! newE)
+ return 0;
++
++ if (! newE->defaultAttsNames.parser)
++ hashTableInit(&(newE->defaultAttsNames), parser);
++
+ if (oldE->nDefaultAtts) {
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+@@ -7719,6 +7728,12 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
+ return 0;
+ } else
+ newE->defaultAtts[i].value = NULL;
++
++ NAMED *const nameAddedOrFound = (NAMED *)lookup(
++ parser, &(newE->defaultAttsNames), attributeName, sizeof(NAMED));
++ if (! nameAddedOrFound) {
++ return 0;
++ }
+ }
+ }
+
+@@ -8458,6 +8473,8 @@ getElementType(XML_Parser parser, const ENCODING *enc, const char *ptr,
+ sizeof(ELEMENT_TYPE));
+ if (! ret)
+ return NULL;
++ if (! ret->defaultAttsNames.parser)
++ hashTableInit(&(ret->defaultAttsNames), getRootParserOf(parser, NULL));
+ if (ret->name != name)
+ poolDiscard(&dtd->pool);
+ else {
+--
+2.43.0
+
new file mode 100644
@@ -0,0 +1,52 @@
+From 6c72e124eb8f699977600edc5183ecce89ce13ec Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 8 Mar 2026 23:06:29 +0100
+Subject: [PATCH 7/8] lib: Leverage ELEMENT_TYPE.defaultAttsNames for attribute
+ collision detection
+
+.. to resolve quadratic runtime behavior
+
+(cherry picked from commit 4cd4eb0683e04cd45a2ffc81a08ca2a2663994b5)
+
+CVE: CVE-2026-45186
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1216/commits/4cd4eb0683e04cd45a2ffc81a08ca2a2663994b5]
+Signed-off-by: Theo Gaige <tgaige.opensource@witekio.com>
+---
+ lib/xmlparse.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 4a29c18f..b3f0b734 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7177,10 +7177,10 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
+ if (value || isId) {
+ /* The handling of default attributes gets messed up if we have
+ a default which duplicates a non-default. */
+- int i;
+- for (i = 0; i < type->nDefaultAtts; i++)
+- if (attId == type->defaultAtts[i].id)
+- return 1;
++ NAMED *const nameFound
++ = (NAMED *)lookup(parser, &(type->defaultAttsNames), attId->name, 0);
++ if (nameFound)
++ return 1;
+ if (isId && ! type->idAtt && ! attId->xmlns)
+ type->idAtt = attId;
+ }
+@@ -7227,6 +7227,12 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
+ att->isCdata = isCdata;
+ if (! isCdata)
+ attId->maybeTokenized = XML_TRUE;
++
++ NAMED *const nameAddedOrFound = (NAMED *)lookup(
++ parser, &(type->defaultAttsNames), attId->name, sizeof(NAMED));
++ if (! nameAddedOrFound)
++ return 0;
++
+ type->nDefaultAtts += 1;
+ return 1;
+ }
+--
+2.43.0
+
new file mode 100644
@@ -0,0 +1,39 @@
+From 594f59a8013ab78cd2e439f4c8d56ed5d261b0a4 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Fri, 8 May 2026 22:16:24 +0200
+Subject: [PATCH 8/8] Changes: Document CVE-2026-45186
+
+(cherry picked from commit 1045a780a850f1fd0ee3a59b04ec79dd659705ec)
+
+CVE: CVE-2026-45186
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1216/commits/1045a780a850f1fd0ee3a59b04ec79dd659705ec]
+Signed-off-by: Theo Gaige <tgaige.opensource@witekio.com>
+---
+ Changes | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/Changes b/Changes
+index 4265d608..1d91af70 100644
+--- a/Changes
++++ b/Changes
+@@ -30,6 +30,17 @@
+ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+ Patches:
++ Security fixes:
++ #1216 CVE-2026-45186 -- Fix quadratic runtime from attribute name
++ collision checks that allowed denial of service attacks
++ through moderately sized crafted XML input (CWE-407).
++ Please note that a layer of compression around XML can
++ significantly reduce the minimum attack payload size.
++
++ Special thanks to:
++ Berkay Eren Ürün
++ Nick Wellnhofer
++
+ Security fixes:
+ #1018 #1034 CVE-2025-59375 -- Disallow use of disproportional amounts of
+ dynamic memory from within an Expat parser (e.g. previously
+--
+2.43.0
+
@@ -51,6 +51,14 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
file://CVE-2026-32777-02.patch \
file://CVE-2026-32778-01.patch \
file://CVE-2026-32778-02.patch \
+ file://CVE-2026-45186-01.patch \
+ file://CVE-2026-45186-02.patch \
+ file://CVE-2026-45186-03.patch \
+ file://CVE-2026-45186-04.patch \
+ file://CVE-2026-45186-05.patch \
+ file://CVE-2026-45186-06.patch \
+ file://CVE-2026-45186-07.patch \
+ file://CVE-2026-45186-08.patch \
"
GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"