new file mode 100644
@@ -0,0 +1,36 @@
+From b0cf9e9b0f5dfdd938148931a4605a0fd6b917a7 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Thu, 23 Apr 2026 10:31:45 +0200
+Subject: [PATCH] lib: Waterproof `copyString` from integer overflow
+
+CVE: CVE-2026-56408
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/16e2efd867ea8567ffa012210b52ef5918e20817]
+
+Backport Changes:
+- Adapt the fix to Expat 2.7.5, which calculates charsRequired using
+ an existing loop instead of xcslen. The upstream string helper
+ refactoring is not required for the overflow guard.
+
+(cherry picked from commit 16e2efd867ea8567ffa012210b52ef5918e20817)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ expat/lib/xmlparse.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index e441ff7f..4ff5e33b 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -8505,6 +8505,10 @@ copyString(const XML_Char *s, XML_Parser parser) {
+ /* Include the terminator */
+ charsRequired++;
+
++ /* Detect and prevent integer overflow */
++ if (charsRequired > SIZE_MAX / sizeof(XML_Char))
++ return NULL;
++
+ /* Now allocate space for the copy */
+ result = MALLOC(parser, charsRequired * sizeof(XML_Char));
+ if (result == NULL)
+--
+2.43.7
@@ -12,6 +12,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
file://run-ptest \
file://CVE-2026-56403_p1.patch;striplevel=2 \
file://CVE-2026-56403_p2.patch;striplevel=2 \
+ file://CVE-2026-56408.patch;striplevel=2 \
"
GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"