Integer Overflow Vulnerability in Expat XML Parser Affects Multiple Versions
CVE-2022-22826

8.8HIGH

Key Information:

Vendor

Libexpat Project

Status
Libexpat
Vendor
CVE Published:
10 January 2022

What is CVE-2022-22826?

The Expat XML Parser, specifically in the 'nextScaffoldPart' function within xmlparse.c, is subject to an integer overflow vulnerability that can potentially lead to unexpected behaviors or security risks. This flaw exists in versions prior to 2.4.3, necessitating immediate updates to ensure proper safeguarding against potential exploits. Users of affected versions should apply the relevant patches promptly to mitigate any risks associated with this vulnerability.

References

https://github.com/libexpat/libexpat/pull/539
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2022/01/17/3
mailing-listx_refsource_MLIST
https://www.tenable.com/security/tns-2022-05
x_refsource_CONFIRM

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.