new file mode 100644
@@ -0,0 +1,48 @@
+From 759b77a8439bcbf57c86900bc472d46d8ef70c92 Mon Sep 17 00:00:00 2001
+From: netliomax25-code <netliomax25@gmail.com>
+Date: Fri, 29 May 2026 17:51:25 +0530
+Subject: [PATCH] xmlwf: protect resolveSystemId from integer overflow
+
+CVE: CVE-2026-56410
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/deeb97f7c88d17a16b0ea2521a13733abc283347]
+
+Backport Changes:
+- Adapt the allocation hunk to the explicit cast used by Expat 2.7.5 and
+ include stdint.h for SIZE_MAX.
+
+(cherry picked from commit deeb97f7c88d17a16b0ea2521a13733abc283347)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ expat/xmlwf/xmlfile.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/expat/xmlwf/xmlfile.c b/expat/xmlwf/xmlfile.c
+index c4eb839f..31a40209 100644
+--- a/expat/xmlwf/xmlfile.c
++++ b/expat/xmlwf/xmlfile.c
+@@ -42,6 +42,7 @@
+ #include "expat_config.h"
+
+ #include <stdio.h>
++#include <stdint.h>
+ #include <stdlib.h>
+ #include <stddef.h>
+ #include <string.h>
+@@ -138,8 +139,13 @@ resolveSystemId(const XML_Char *base, const XML_Char *systemId,
+ #endif
+ )
+ return systemId;
+- *toFree = (XML_Char *)malloc((tcslen(base) + tcslen(systemId) + 2)
+- * sizeof(XML_Char));
++ const size_t charsRequired = tcslen(base) + tcslen(systemId) + 2;
++
++ /* Detect and prevent integer overflow */
++ if (charsRequired > SIZE_MAX / sizeof(XML_Char))
++ return systemId;
++
++ *toFree = malloc(charsRequired * sizeof(XML_Char));
+ if (! *toFree)
+ return systemId;
+ tcscpy(*toFree, base);
+--
+2.43.7
new file mode 100644
@@ -0,0 +1,40 @@
+From f16fa442eaa81bfceec5302d977219959eaac7b7 Mon Sep 17 00:00:00 2001
+From: netliomax25-code <netliomax25@gmail.com>
+Date: Sat, 30 May 2026 11:28:51 +0530
+Subject: [PATCH] xmlwf: guard each operator in resolveSystemId length sum
+
+CVE: CVE-2026-56410
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/cee20e91bf14dc7f6d2fc48f0d70d86b2dc3afea]
+
+(cherry picked from commit cee20e91bf14dc7f6d2fc48f0d70d86b2dc3afea)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ expat/xmlwf/xmlfile.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/expat/xmlwf/xmlfile.c b/expat/xmlwf/xmlfile.c
+index 31a40209..15c69217 100644
+--- a/expat/xmlwf/xmlfile.c
++++ b/expat/xmlwf/xmlfile.c
+@@ -139,9 +139,17 @@ resolveSystemId(const XML_Char *base, const XML_Char *systemId,
+ #endif
+ )
+ return systemId;
+- const size_t charsRequired = tcslen(base) + tcslen(systemId) + 2;
++ const size_t baseLen = tcslen(base);
++ const size_t systemIdLen = tcslen(systemId);
+
+- /* Detect and prevent integer overflow */
++ /* Detect and prevent integer overflow in the addition (without risking
++ underflow) */
++ if (baseLen > SIZE_MAX - systemIdLen || baseLen > SIZE_MAX - systemIdLen - 2)
++ return systemId;
++
++ const size_t charsRequired = baseLen + systemIdLen + 2;
++
++ /* Detect and prevent integer overflow in the multiplication */
+ if (charsRequired > SIZE_MAX / sizeof(XML_Char))
+ return systemId;
+
+--
+2.43.7
@@ -15,6 +15,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
file://CVE-2026-56408.patch;striplevel=2 \
file://CVE-2026-56404.patch;striplevel=2 \
file://CVE-2026-56405.patch;striplevel=2 \
+ file://CVE-2026-56410_p1.patch;striplevel=2 \
+ file://CVE-2026-56410_p2.patch;striplevel=2 \
"
GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"