CVE-2024-45492 — Integer Overflow or Wraparound in Project Libexpat

CWE-190 — Integer Overflow or Wraparound15 documents10 sources

Severity

9.8CRITICALNVD

EPSS

1.2%

top 21.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libexpat Project Libexpat

Timeline

PublishedAug 30

Latest updateJan 15

Description

An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDlibexpat_project/libexpat< 2.6.3

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

expat vulnerabilities↗2024-09-17

▶

OSV

expat vulnerabilities↗2024-09-12

▶

OSV

CVE-2024-45492: An issue was discovered in libexpat before 2↗2024-08-30

▶

CVEList

CVE-2024-45492: An issue was discovered in libexpat before 2↗2024-08-30

▶

GHSA

GHSA-5qxm-qvmj-8v79: An issue was discovered in libexpat before 2↗2024-08-30

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Install/Upgrade (LibExpat) — CVE-2024-45492↗2025-01-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Core (LibExpat) — CVE-2024-45492↗2024-10-15

▶

BSD

OpenBSD 7.5 Errata 007: SECURITY FIX↗2024-09-17

▶

Ubuntu

Expat vulnerabilities↗2024-09-17

▶

BSD

OpenBSD 7.4 Errata 020: SECURITY FIX↗2024-09-17

▶