new file mode 100644
@@ -0,0 +1,46 @@
+From e447d5d72884a1246894f111a5b72de4e479152e Mon Sep 17 00:00:00 2001
+From: netliomax25-code <netliomax25@gmail.com>
+Date: Tue, 2 Jun 2026 13:13:34 +0530
+Subject: [PATCH] xmlwf: protect notation list allocation from integer overflow
+
+CVE: CVE-2026-56411
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/528a4e5017e1bd3b48b689fd0c131df940ae3ea5]
+
+(cherry picked from commit 528a4e5017e1bd3b48b689fd0c131df940ae3ea5)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ expat/xmlwf/xmlwf.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/expat/xmlwf/xmlwf.c b/expat/xmlwf/xmlwf.c
+index 6a0a707a..a9640190 100644
+--- a/expat/xmlwf/xmlwf.c
++++ b/expat/xmlwf/xmlwf.c
+@@ -383,9 +383,9 @@ static void XMLCALL
+ endDoctypeDecl(void *userData) {
+ XmlwfUserData *data = (XmlwfUserData *)userData;
+ NotationList **notations;
+- int notationCount = 0;
++ size_t notationCount = 0;
+ NotationList *p;
+- int i;
++ size_t i;
+
+ /* How many notations do we have? */
+ for (p = data->notationListHead; p != NULL; p = p->next)
+@@ -395,6 +395,13 @@ endDoctypeDecl(void *userData) {
+ goto cleanUp;
+ }
+
++ /* Detect and prevent integer overflow in the multiplication, mirroring
++ the guards in xcsdup() and resolveSystemId() */
++ if (notationCount > SIZE_MAX / sizeof(NotationList *)) {
++ fprintf(stderr, "Unable to sort notations");
++ goto cleanUp;
++ }
++
+ notations = malloc(notationCount * sizeof(NotationList *));
+ if (notations == NULL) {
+ fprintf(stderr, "Unable to sort notations");
+--
+2.43.7
@@ -20,6 +20,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
file://CVE-2026-56406-dependent.patch;striplevel=2 \
file://CVE-2026-56406.patch;striplevel=2 \
file://CVE-2026-56409.patch;striplevel=2 \
+ file://CVE-2026-56411.patch;striplevel=2 \
"
GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"