CVE-2025-59375: 
Rocky Linux vulnerability analysis and mitigation

A memory amplification vulnerability was discovered in libexpat versions before 2.7.2, identified as CVE-2025-59375. The vulnerability allows attackers to trigger large dynamic memory allocations by submitting a small document for parsing. The issue was discovered through OSS-Fuzz testing and was publicly disclosed on September 14, 2025 (NVD, Ubuntu).

The vulnerability stems from the XML parser's handling of opening tags, where each tag (approximately 3 bytes) triggers an allocation of at least 120 bytes of dynamic memory on amd64 hardware. This can lead to memory usage exceeding 1,000 times the payload filesize. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility with no required privileges or user interaction (NVD, Debian).

When exploited, the vulnerability can cause excessive memory consumption, potentially leading to out-of-memory conditions. Testing showed that a small input file could cause memory usage to reach the 2 GiB limit, affecting system availability. The amplification factor observed was approximately 70.77, with memory usage reaching about 400 MiB from a relatively small input file (Github Issues).

The vulnerability has been fixed in Expat version 2.7.2. The fix implements tracking and limiting of dynamic memory allocations, applying an approach similar to the existing protection against billion laughs attacks. Users are strongly recommended to upgrade to version 2.7.2 or later (Github PR).