CVE-2023-52426: 
Bottlerocket vulnerability analysis and mitigation

CVE-2023-52426 affects libexpat through version 2.5.0, where a vulnerability exists when XML_DTD is undefined at compile time, allowing recursive XML Entity Expansion. The vulnerability was discovered and disclosed in early 2024, affecting the libexpat XML parser library and various systems that incorporate it (NVD, GitHub PR).

The vulnerability is related to improper restriction of recursive entity references in DTDs (XML Entity Expansion), specifically when XML_DTD is undefined during compilation. It has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The issue falls under CWE-776 category, which involves improper restriction of recursive entity references in DTDs (NVD, CWE).

When successfully exploited, this vulnerability can lead to a Denial of Service (DoS) condition through explosive growth of data when parsed. The vulnerability allows attackers to trigger resource consumption through recursive entity expansion, potentially exhausting system resources (NetApp Advisory).

The vulnerability has been fixed in libexpat version 2.6.0. Organizations using affected versions should upgrade to the patched version. The fix extends the scope of billion laughs attack protection to cases where XML_DTD is undefined at compile time (GitHub Commit).

Various organizations and distributions have responded to this vulnerability. Fedora has released security updates for affected packages in versions 38 and 39. NetApp has issued an advisory and is actively updating their products to address the vulnerability (Fedora Update, NetApp Advisory).