diff --git a/meta/recipes-core/expat/expat/CVE-2026-56411.patch b/meta/recipes-core/expat/expat/CVE-2026-56411.patch
new file mode 100644
index 0000000000..66cab29bc1
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-56411.patch
@@ -0,0 +1,62 @@
+From 021dd272c0d3d40af16575f46a9ac197031c2acd Mon Sep 17 00:00:00 2001
+From: netliomax25-code <netliomax25@gmail.com>
+Date: Tue, 2 Jun 2026 13:13:34 +0530
+Subject: [PATCH] xmlwf: protect notation list allocation from integer overflow
+
+CVE: CVE-2026-56411
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1263]
+
+Changes from upstream for 2.6.4:
+ - Changed notationCount and i from int to size_t.
+ - Added #include <stdint.h> for SIZE_MAX.
+ - Used "freeNotations(data); return;" instead of "goto cleanUp;" as
+   2.6.4 has no cleanUp label, and also free currentDoctypeName on the
+   error path to match the other exit paths in the function.
+
+Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
+---
+ xmlwf/xmlwf.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c
+--- a/xmlwf/xmlwf.c
++++ b/xmlwf/xmlwf.c
+@@ -47,6 +47,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <stddef.h>
++#include <stdint.h> /* for SIZE_MAX */
+ #include <string.h>
+ #include <math.h> /* for isnan */
+ #include <errno.h>
+@@ -381,9 +382,9 @@ static void XMLCALL
+ endDoctypeDecl(void *userData) {
+   XmlwfUserData *data = (XmlwfUserData *)userData;
+   NotationList **notations;
+-  int notationCount = 0;
++  size_t notationCount = 0;
+   NotationList *p;
+-  int i;
++  size_t i;
+ 
+   /* How many notations do we have? */
+   for (p = data->notationListHead; p != NULL; p = p->next)
+@@ -394,6 +395,16 @@ endDoctypeDecl(void *userData) {
+     return;
+   }
+ 
++  /* Detect and prevent integer overflow in the multiplication, mirroring
++     the guards in xcsdup() and resolveSystemId() */
++  if (notationCount > SIZE_MAX / sizeof(NotationList *)) {
++    fprintf(stderr, "Unable to sort notations");
++    freeNotations(data);
++    free((void *)data->currentDoctypeName);
++    data->currentDoctypeName = NULL;
++    return;
++  }
++
+   notations = malloc(notationCount * sizeof(NotationList *));
+   if (notations == NULL) {
+     fprintf(stderr, "Unable to sort notations");
+-- 
+2.34.1
diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb
index 048093f010..7259ce7436 100644
--- a/meta/recipes-core/expat/expat_2.6.4.bb
+++ b/meta/recipes-core/expat/expat_2.6.4.bb
@@ -46,6 +46,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2  \
            file://CVE-2026-25210-01.patch \
            file://CVE-2026-25210-02.patch \
            file://CVE-2026-25210-03.patch \
+           file://CVE-2026-56411.patch \
            "
 
 GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"
