Use-After-Free Vulnerability in Expat XML Parser from Libexpat
CVE-2022-40674

8.1HIGH

Key Information:

Vendor: Libexpat Project
Status: Libexpat
Vendor: CVE Published:; 14 September 2022

Summary

The Expat XML Parser library, specifically its version prior to 2.4.9, contains a use-after-free vulnerability within the doContent function in xmlparse.c. This flaw can potentially be exploited to cause crashes or execute arbitrary code in affected applications using the library. Users are advised to update to the latest version to mitigate any potential risks associated with this vulnerability.

References

https://github.com/libexpat/libexpat/pull/629

https://github.com/libexpat/libexpat/pull/640

https://www.debian.org/security/2022/dsa-5236

vendor-advisory

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 14, 2022
Vulnerability Reserved
Sep 14, 2022