new file mode 100644
@@ -0,0 +1,33 @@
+From c1ad5610cf060c6374d8f8d3b39163edd7053321 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Thu, 23 Apr 2026 10:31:45 +0200
+Subject: [PATCH 03/17] lib: Waterproof `copyString` from integer overflow
+
+CVE: CVE-2026-56408
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/16e2efd867ea8567ffa012210b52ef5918e20817]
+
+Backport Changes:
+- Keep the Scarthgap 2.6.4 copyString loop and add only the
+ upstream allocation overflow guard.
+
+(cherry picked from commit 16e2efd867ea8567ffa012210b52ef5918e20817)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ expat/lib/xmlparse.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index df92a3ca..12bbe23e 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -8489,6 +8489,10 @@ copyString(const XML_Char *s, XML_Parser parser) {
+ /* Include the terminator */
+ charsRequired++;
+
++ /* Detect and prevent integer overflow */
++ if (charsRequired > SIZE_MAX / sizeof(XML_Char))
++ return NULL;
++
+ /* Now allocate space for the copy */
+ result = MALLOC(parser, charsRequired * sizeof(XML_Char));
+ if (result == NULL)
@@ -53,6 +53,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
file://CVE-2026-32778-02.patch \
file://CVE-2026-56403_p1.patch;striplevel=2 \
file://CVE-2026-56403_p2.patch;striplevel=2 \
+ file://CVE-2026-56408.patch;striplevel=2 \
"
GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"