new file mode 100644
@@ -0,0 +1,46 @@
+From 8cb4583ac3204175a03c8ea8e371adee583b0bec Mon Sep 17 00:00:00 2001
+From: netliomax25-code <netliomax25@gmail.com>
+Date: Thu, 28 May 2026 12:44:11 +0530
+Subject: [PATCH] lib: protect function addBinding from signed integer overflow
+
+CVE: CVE-2026-56404
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/babfc48090977cbf7be24b2c48f6053dca75c164]
+
+(cherry picked from commit babfc48090977cbf7be24b2c48f6053dca75c164)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ expat/lib/xmlparse.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 53f842d1..33b92c9c 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -4485,6 +4485,10 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+ }
+
+ for (len = 0; uri[len]; len++) {
++ /* Detect and prevent signed integer overflow */
++ if (len == INT_MAX) {
++ return XML_ERROR_NO_MEMORY;
++ }
+ if (isXML && (len > xmlLen || uri[len] != xmlNamespace[len]))
+ isXML = XML_FALSE;
+
+@@ -4525,8 +4529,13 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+ if (isXMLNS)
+ return XML_ERROR_RESERVED_NAMESPACE_URI;
+
+- if (parser->m_namespaceSeparator)
++ if (parser->m_namespaceSeparator) {
++ /* Detect and prevent signed integer overflow */
++ if (len == INT_MAX) {
++ return XML_ERROR_NO_MEMORY;
++ }
+ len++;
++ }
+ if (parser->m_freeBindingList) {
+ b = parser->m_freeBindingList;
+ if (len > b->uriAlloc) {
+--
+2.43.7
@@ -13,6 +13,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
file://CVE-2026-56403_p1.patch;striplevel=2 \
file://CVE-2026-56403_p2.patch;striplevel=2 \
file://CVE-2026-56408.patch;striplevel=2 \
+ file://CVE-2026-56404.patch;striplevel=2 \
"
GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"