new file mode 100644
@@ -0,0 +1,46 @@
+From b454931c42290c9f0faf2a01f9634d82db636bac Mon Sep 17 00:00:00 2001
+From: netliomax25-code <netliomax25@gmail.com>
+Date: Fri, 29 May 2026 17:51:25 +0530
+Subject: [PATCH 06/17] xmlwf: protect resolveSystemId from integer overflow
+
+CVE: CVE-2026-56410
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/deeb97f7c88d17a16b0ea2521a13733abc283347]
+
+Backport Changes:
+- Adapt the allocation hunk to Scarthgap 2.6.4's explicit cast and
+ include stdint.h so SIZE_MAX is available.
+
+(cherry picked from commit deeb97f7c88d17a16b0ea2521a13733abc283347)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ expat/xmlwf/xmlfile.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/expat/xmlwf/xmlfile.c b/expat/xmlwf/xmlfile.c
+index 9c4f7f8d..ad691b12 100644
+--- a/expat/xmlwf/xmlfile.c
++++ b/expat/xmlwf/xmlfile.c
+@@ -41,6 +41,7 @@
+ #include "expat_config.h"
+
+ #include <stdio.h>
++#include <stdint.h>
+ #include <stdlib.h>
+ #include <stddef.h>
+ #include <string.h>
+@@ -130,8 +131,13 @@ resolveSystemId(const XML_Char *base, const XML_Char *systemId,
+ #endif
+ )
+ return systemId;
+- *toFree = (XML_Char *)malloc((tcslen(base) + tcslen(systemId) + 2)
+- * sizeof(XML_Char));
++ const size_t charsRequired = tcslen(base) + tcslen(systemId) + 2;
++
++ /* Detect and prevent integer overflow */
++ if (charsRequired > SIZE_MAX / sizeof(XML_Char))
++ return systemId;
++
++ *toFree = malloc(charsRequired * sizeof(XML_Char));
+ if (! *toFree)
+ return systemId;
+ tcscpy(*toFree, base);
new file mode 100644
@@ -0,0 +1,39 @@
+From 7e6230212ddc4ea74115218fdbe5717e8e1c0f2b Mon Sep 17 00:00:00 2001
+From: netliomax25-code <netliomax25@gmail.com>
+Date: Sat, 30 May 2026 11:28:51 +0530
+Subject: [PATCH 07/17] xmlwf: guard each operator in resolveSystemId length
+ sum
+
+CVE: CVE-2026-56410
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/cee20e91bf14dc7f6d2fc48f0d70d86b2dc3afea]
+
+(cherry picked from commit cee20e91bf14dc7f6d2fc48f0d70d86b2dc3afea)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ expat/xmlwf/xmlfile.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/expat/xmlwf/xmlfile.c b/expat/xmlwf/xmlfile.c
+index ad691b12..4d2e3220 100644
+--- a/expat/xmlwf/xmlfile.c
++++ b/expat/xmlwf/xmlfile.c
+@@ -131,9 +131,17 @@ resolveSystemId(const XML_Char *base, const XML_Char *systemId,
+ #endif
+ )
+ return systemId;
+- const size_t charsRequired = tcslen(base) + tcslen(systemId) + 2;
++ const size_t baseLen = tcslen(base);
++ const size_t systemIdLen = tcslen(systemId);
+
+- /* Detect and prevent integer overflow */
++ /* Detect and prevent integer overflow in the addition (without risking
++ underflow) */
++ if (baseLen > SIZE_MAX - systemIdLen || baseLen > SIZE_MAX - systemIdLen - 2)
++ return systemId;
++
++ const size_t charsRequired = baseLen + systemIdLen + 2;
++
++ /* Detect and prevent integer overflow in the multiplication */
+ if (charsRequired > SIZE_MAX / sizeof(XML_Char))
+ return systemId;
+
@@ -56,6 +56,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
file://CVE-2026-56408.patch;striplevel=2 \
file://CVE-2026-56404.patch;striplevel=2 \
file://CVE-2026-56405.patch;striplevel=2 \
+ file://CVE-2026-56410_p1.patch;striplevel=2 \
+ file://CVE-2026-56410_p2.patch;striplevel=2 \
"
GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"