CVE-2022-40303

CWE-190Integer Overflow25 documents11 sources
Severity
7.5HIGH
EPSS
0.2%
top 60.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Platform External/libxml2Apple IpadosApple Iphone OS+4 more
Timeline
PublishedNov 23
Latest updateSep 28

Description

An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages10 packages

NVDxmlsoft/libxml2< 2.10.3
Androidplatform/external/libxml213:013:2023-03-01
Debianlibxml2< 2.9.10+dfsg-6.7+deb11u3+3
Ubuntulibxml2< 2.9.4+dfsg1-6.1ubuntu1.8+4
RubyGemsnokogiri< 1.13.9

Patches

Patch: gitlab.gnome.orgPatch: gitlab.gnome.org

🔴Vulnerability Details

11
OSV
inetutils vulnerabilities2025-09-28
OSV
inetutils vulnerabilities2023-08-22
OSV
CVE-2022-40303: In multiple functions of parser2023-03-01
OSV
libxml2 vulnerabilities2022-12-05
OSV
libxml2 vulnerabilities2022-12-05

📋Vendor Advisories

13
Ubuntu
Nokogiri vulnerabilities2025-07-21
Apple
CVE-2022-40303: tvOS16.22022-12-13
Apple
CVE-2022-40303: macOS Monterey 12.6.22022-12-13
Apple
CVE-2022-40303: macOS Big Sur 11.7.22022-12-13
Apple
CVE-2022-40303: watchOS 9.22022-12-13
CVE-2022-40303 (HIGH CVSS 7.5) | An issue was discovered in libxml2 | cvebase.io