CVE-2022-40674

CWE-416 — Use After Free16 documents11 sources

Severity

8.1HIGH

EPSS

1.1%

top 22.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libexpat Project Libexpat Debian Debian Linux Fedoraproject Fedora

Timeline

PublishedSep 14

Latest updateFeb 28

Description

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

▶NVDlibexpat_project/libexpat< 2.4.9

▶Debianexpat< 2.2.10-2+deb11u4+3

Also affects: Debian Linux 10.0, 11.0, Fedora 35, 36, 37

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

firefox vulnerabilities↗2022-11-16

▶

GHSA

GHSA-2vq2-xc55-3j5m: libexpat before 2↗2022-09-15

▶

OSV

CVE-2022-40674: libexpat before 2↗2022-09-14

▶

CVEList

CVE-2022-40674: libexpat before 2↗2022-09-14

▶

📋Vendor Advisories

Ubuntu

Expat vulnerabilities↗2023-02-28

▶

Ubuntu

Expat vulnerabilities↗2022-11-17

▶

Ubuntu

Firefox vulnerabilities↗2022-11-16

▶

Ubuntu

Expat vulnerability↗2022-09-26

▶

BSD

OpenBSD 7.1 Errata 010: SECURITY FIX↗2022-09-23

▶

💬Community

Bugzilla

Evaluate expat CVE-2022-40674 fix↗2022-09-20

▶