From 3de54af0969418014e9093dd2b41bd712dd9b12e Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sun, 18 Jan 2026 18:19:25 +0100
Subject: [PATCH] Changes: Document CVE-2026-24515

---
 expat/Changes | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/expat/Changes b/expat/Changes
index 67e3e2ba..eae485d6 100644
--- a/expat/Changes
+++ b/expat/Changes
@@ -42,12 +42,26 @@
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 Release 2.7.4 ??? ????????? ?? ????
+        Security fixes:
+           #1131  CVE-2026-24515 -- Function XML_ExternalEntityParserCreate
+                    failed to copy the encoding handler data passed to
+                    XML_SetUnknownEncodingHandler from the parent to the new
+                    subparser. This can cause a NULL dereference (CWE-476) from
+                    external entities that declare use of an unknown encoding.
+                    The expected impact is denial of service. It takes use of
+                    both functions XML_ExternalEntityParserCreate and
+                    XML_SetUnknownEncodingHandler for an application to be
+                    vulnerable.
+
         Other changes:
            #1066  docs: Be explicit that parent parsers need to outlive
                     subparsers
            #1105  Stop using -fno-strict-aliasing, and use -Wstrict-aliasing=3
                     instead
 
+        Special thanks to:
+            Artiphishell Inc.
+
 Release 2.7.3 Wed September 24 2025
         Security fixes:
      #1046 #1048  Fix alignment of internal allocations for some non-amd64