Upgrade bundled Expat to 2.8.2 (e.g. for the fix to CVE-2026-56132 and 12 others)

[hartwork]

Please see blog post https://blog.hartwork.org/posts/expat-2-8-2-released/ for an overview and the change log at https://github.com/libexpat/libexpat/blob/R_2_8_2/expat/Changes for details. Affects all alive branches of Python. Thank you!

PS: Note that this release comes with three new files files to be bundled:

• lib/fallthrough.h
• lib/memory_sanitizer.h
• lib/xcsinc.c

Related: #149698 (predecessor for Expat 2.8.1)

CC @StanFromIreland

---

• CVE-2026-50219
• CVE-2026-56131
• CVE-2026-56132
• CVE-2026-56403
• CVE-2026-56404
• CVE-2026-56405
• CVE-2026-56406
• CVE-2026-56407
• CVE-2026-56408
• CVE-2026-56409
• CVE-2026-56410
• CVE-2026-56411
• CVE-2026-56412

Linked PRs

• gh-152216: Update bundled expat to 2.8.2 #152234

[zainnadeem786]

Hi @hartwork @StanFromIreland

I can take a look at this and prepare a focused PR if no one else is already working on it.

I checked the previous Expat 2.8.1 update pattern from gh-149698 / gh-149699 and started comparing the bundled 2.8.1 copy with upstream 2.8.2.

From the initial investigation, this looks like a focused vendoring update involving the refreshed Expat sources, the new upstream files mentioned here, SBOM metadata, and a Security NEWS entry while preserving CPython’s local Expat configuration and symbol namespacing.

I’ll validate the update with the focused XML/pyexpat test suite before opening a PR.

[StanFromIreland]

I've assigned myself this, please check such things in the future.