MidnightBSD

Advisories for libexpat_project

CVE-2009-3560 MEDIUM

The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
libexpat_project libexpat 2.0.1
apache http_server *
CVE-2012-0876 MEDIUM

The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
oracle solaris 11.3
debian debian_linux 6.0
canonical ubuntu_linux 8.04
redhat enterprise_linux_server_aus 6.2
libexpat_project libexpat *
redhat enterprise_linux_server 5.0
redhat enterprise_linux_workstation 6.0
debian debian_linux 7.0
redhat enterprise_linux_server 6.0
canonical ubuntu_linux 10.04
redhat enterprise_linux_workstation 5.0
redhat storage 2.0
canonical ubuntu_linux 11.10
canonical ubuntu_linux 11.04
redhat enterprise_linux_eus 6.2
redhat enterprise_linux_desktop 5.0
python python *
redhat enterprise_linux_desktop 6.0
CVE-2012-1147 MEDIUM

readfilemap.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (file descriptor consumption) via a large number of crafted XML files.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
apple mac_os_x 10.11.0
libexpat_project libexpat 1.95.2
libexpat_project libexpat 1.95.5
libexpat_project libexpat 1.95.6
libexpat_project libexpat 1.95.7
apple mac_os_x 10.11.1
libexpat_project libexpat 1.95.8
libexpat_project libexpat 2.0.0
libexpat_project libexpat 1.95.4
libexpat_project libexpat *
libexpat_project libexpat 1.95.1
CVE-2012-1148 MEDIUM

Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (memory consumption) via a large number of crafted XML files that cause improperly-handled reallocation failures when expanding entities.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
libexpat_project libexpat 1.95.2
libexpat_project libexpat 1.95.5
libexpat_project libexpat 1.95.6
libexpat_project libexpat 1.95.7
apple mac_os_x *
libexpat_project libexpat 1.95.8
libexpat_project libexpat 2.0.0
libexpat_project libexpat 1.95.4
libexpat_project libexpat *
libexpat_project libexpat 1.95.1
CVE-2012-6702 MEDIUM

Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
google android 4.4.4
canonical ubuntu_linux 14.04
canonical ubuntu_linux 15.10
libexpat_project libexpat *
debian debian_linux 8.0
google android 5.0.2
google android 6.0
google android 5.1.1
google android 6.0.1
CVE-2013-0340 MEDIUM

expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
apple macos *
apple watchos *
apple ipados *
libexpat_project libexpat *
apple iphone_os *
python python *
apple tvos *
CVE-2015-1283 MEDIUM

Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
suse linux_enterprise_desktop 12
google chrome *
oracle solaris 11.3
oracle solaris 10
opensuse leap 42.1
canonical ubuntu_linux 14.04
opensuse opensuse 13.1
canonical ubuntu_linux 15.04
libexpat_project libexpat *
suse linux_enterprise_server 11
debian debian_linux 8.0
suse linux_enterprise_server 12
suse linux_enterprise_software_development_kit 11
debian debian_linux 7.0
suse linux_enterprise_software_development_kit 12
debian debian_linux 9.0
opensuse opensuse 13.2
suse studio_onsite 1.3
python python *
suse linux_enterprise_debuginfo 11
CVE-2016-0718 HIGH

Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
suse linux_enterprise_desktop 12
opensuse leap 42.1
canonical ubuntu_linux 14.04
opensuse opensuse 13.1
libexpat_project libexpat *
suse linux_enterprise_server 11
debian debian_linux 8.0
suse linux_enterprise_server 12
suse linux_enterprise_software_development_kit 11
suse linux_enterprise_software_development_kit 12
mozilla firefox *
canonical ubuntu_linux 16.04
opensuse opensuse 13.2
apple mac_os_x *
mcafee policy_auditor *
suse studio_onsite 1.3
python python *
suse linux_enterprise_debuginfo 11
CVE-2016-4472 MEDIUM

The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
mcafee policy_auditor *
libexpat_project libexpat *
python python *
CVE-2016-5300 HIGH

The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
canonical ubuntu_linux 16.04
google android 4.4.4
canonical ubuntu_linux 14.04
canonical ubuntu_linux 15.10
libexpat_project libexpat *
debian debian_linux 8.0
google android 5.0.2
google android 6.0
google android 5.1.1
google android 6.0.1
CVE-2017-11742 MEDIUM

The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat in Expat 2.2.1 and 2.2.2 on Windows allows local users to gain privileges via a Trojan horse ADVAPI32.DLL in the current working directory because of an untrusted search path, aka DLL hijacking.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-426,

Products Affected

Vendor Product Version
libexpat_project libexpat 2.2.2
libexpat_project libexpat 2.2.1
CVE-2017-9233 MEDIUM

XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,CWE-835,

Products Affected

Vendor Product Version
debian debian_linux 9.0
libexpat_project libexpat *
debian debian_linux 8.0
python python *
debian debian_linux 10.0
CVE-2018-20843 HIGH

In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-611,CWE-611,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
opensuse leap 15.1
canonical ubuntu_linux 14.04
fedoraproject fedora 30
oracle http_server 12.2.1.4.0
libexpat_project libexpat *
debian debian_linux 8.0
canonical ubuntu_linux 18.04
canonical ubuntu_linux 19.04
oracle http_server 12.1.3.0
debian debian_linux 9.0
canonical ubuntu_linux 16.04
oracle outside_in_technology 8.5.5
canonical ubuntu_linux 18.10
oracle outside_in_technology 8.5.4
fedoraproject fedora 29
tenable nessus *
oracle hospitality_res_3700 *
opensuse leap 15.0
CVE-2019-15903 MEDIUM

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-776,CWE-125,

Products Affected

Vendor Product Version
libexpat_project libexpat *
python python *
CVE-2021-45960 HIGH

In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-682,CWE-682,

Products Affected

Vendor Product Version
netapp solidfire_&_hci_management_node -
siemens sinema_remote_connect_server *
netapp hci_baseboard_management_controller h615c
netapp active_iq_unified_manager -
netapp oncommand_workflow_automation -
debian debian_linux 11.0
libexpat_project libexpat *
netapp hci_baseboard_management_controller h610s
netapp hci_baseboard_management_controller h610c
tenable nessus *
debian debian_linux 10.0
CVE-2021-46143 MEDIUM

In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9
cve@mitre.org 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
netapp solidfire_&_hci_management_node -
siemens sinema_remote_connect_server *
netapp hci_baseboard_management_controller h615c
netapp active_iq_unified_manager -
netapp oncommand_workflow_automation -
libexpat_project libexpat *
netapp hci_baseboard_management_controller h610s
netapp hci_baseboard_management_controller h610c
netapp clustered_data_ontap -
tenable nessus *
CVE-2022-22822 HIGH

addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
siemens sinema_remote_connect_server *
debian debian_linux 11.0
libexpat_project libexpat *
tenable nessus *
debian debian_linux 10.0
CVE-2022-22823 HIGH

build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
siemens sinema_remote_connect_server *
debian debian_linux 11.0
libexpat_project libexpat *
tenable nessus *
debian debian_linux 10.0
CVE-2022-22824 HIGH

defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
siemens sinema_remote_connect_server *
debian debian_linux 11.0
libexpat_project libexpat *
tenable nessus *
debian debian_linux 10.0
CVE-2022-22825 MEDIUM

lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
siemens sinema_remote_connect_server *
debian debian_linux 11.0
libexpat_project libexpat *
tenable nessus *
debian debian_linux 10.0
CVE-2022-22826 MEDIUM

nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
siemens sinema_remote_connect_server *
debian debian_linux 11.0
libexpat_project libexpat *
tenable nessus *
debian debian_linux 10.0
CVE-2022-22827 MEDIUM

storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
siemens sinema_remote_connect_server *
debian debian_linux 11.0
libexpat_project libexpat *
tenable nessus *
debian debian_linux 10.0
CVE-2022-23852 HIGH

Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
siemens sinema_remote_connect_server *
debian debian_linux 9.0
netapp oncommand_workflow_automation -
libexpat_project libexpat *
netapp clustered_data_ontap -
tenable nessus *
oracle communications_metasolv_solution 6.3.1
CVE-2022-23990 MEDIUM

Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
siemens sinema_remote_connect_server *
fedoraproject fedora 35
debian debian_linux 11.0
libexpat_project libexpat *
fedoraproject fedora 34
tenable nessus *
oracle communications_metasolv_solution 6.3.1
debian debian_linux 10.0
CVE-2022-25235 HIGH

xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-116,CWE-116,

Products Affected

Vendor Product Version
siemens sinema_remote_connect_server *
fedoraproject fedora 35
oracle zfs_storage_appliance_kit 8.8
debian debian_linux 11.0
oracle http_server 12.2.1.3.0
oracle http_server 12.2.1.4.0
libexpat_project libexpat *
fedoraproject fedora 34
debian debian_linux 10.0
CVE-2022-25236 HIGH

xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-668,CWE-668,

Products Affected

Vendor Product Version
siemens sinema_remote_connect_server *
oracle zfs_storage_appliance_kit 8.8
debian debian_linux 11.0
oracle http_server 12.2.1.3.0
oracle http_server 12.2.1.4.0
libexpat_project libexpat *
debian debian_linux 10.0
CVE-2022-25313 MEDIUM

In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-674,CWE-674,

Products Affected

Vendor Product Version
siemens sinema_remote_connect_server *
fedoraproject fedora 35
oracle zfs_storage_appliance_kit 8.8
debian debian_linux 11.0
oracle http_server 12.2.1.3.0
oracle http_server 12.2.1.4.0
libexpat_project libexpat *
fedoraproject fedora 34
debian debian_linux 10.0
CVE-2022-25314 MEDIUM

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
siemens sinema_remote_connect_server *
fedoraproject fedora 35
oracle zfs_storage_appliance_kit 8.8
debian debian_linux 11.0
oracle http_server 12.2.1.3.0
oracle http_server 12.2.1.4.0
libexpat_project libexpat *
fedoraproject fedora 34
debian debian_linux 10.0
CVE-2022-25315 HIGH

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
siemens sinema_remote_connect_server *
fedoraproject fedora 35
oracle zfs_storage_appliance_kit 8.8
debian debian_linux 11.0
oracle http_server 12.2.1.3.0
oracle http_server 12.2.1.4.0
libexpat_project libexpat *
fedoraproject fedora 34
debian debian_linux 10.0
CVE-2022-40674

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.

Products Affected

Vendor Product Version
fedoraproject fedora 37
fedoraproject fedora 35
debian debian_linux 11.0
libexpat_project libexpat *
fedoraproject fedora 36
debian debian_linux 10.0
CVE-2022-43680

In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.

Products Affected

Vendor Product Version
netapp baseboard_management_controller_h300s_firmware -
fedoraproject fedora 35
netapp h500s_firmware -
netapp oncommand_workflow_automation -
netapp h410s_firmware -
libexpat_project libexpat *
netapp baseboard_management_controller_h410s_firmware -
netapp h700s_firmware -
netapp h410c_firmware -
debian debian_linux 10.0
netapp solidfire_&_hci_management_node -
fedoraproject fedora 37
netapp active_iq_unified_manager -
debian debian_linux 11.0
netapp h300s_firmware -
netapp baseboard_management_controller_h700s_firmware -
netapp hci_compute_node_firmware -
netapp baseboard_management_controller_h410c_firmware -
fedoraproject fedora 36
netapp baseboard_management_controller_h500s_firmware -
CVE-2023-52425

libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
libexpat_project libexpat *
CVE-2023-52426

libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
libexpat_project libexpat *
CVE-2024-28757

libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).

Products Affected

Vendor Product Version
fedoraproject fedora 39
netapp h500s_firmware -
netapp windows_host_utilities -
netapp oncommand_workflow_automation -
fedoraproject fedora 40
netapp h610s_firmware -
netapp h410s_firmware -
libexpat_project libexpat *
netapp h700s_firmware -
netapp h410c_firmware -
fedoraproject fedora 38
netapp h610c_firmware -
netapp active_iq_unified_manager -
netapp h300s_firmware -
netapp ontap_tools 10
netapp ontap 9
CVE-2024-45490

An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.

Products Affected

Vendor Product Version
libexpat_project libexpat *
CVE-2024-45491

An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

Products Affected

Vendor Product Version
libexpat_project libexpat *
CVE-2024-45492

An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

Products Affected

Vendor Product Version
libexpat_project libexpat *
CVE-2024-50602

An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.

Products Affected

Vendor Product Version
netapp solidfire_&_hci_storage_node -
netapp h500s_firmware -
netapp windows_host_utilities -
netapp h410s_firmware -
libexpat_project libexpat *
netapp h700s_firmware -
netapp h410c_firmware -
netapp hci_compute_node -
netapp solidfire_&_hci_management_node -
netapp active_iq_unified_manager -
debian debian_linux 11.0
netapp h300s_firmware -
CVE-2025-59375

libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
libexpat_project libexpat *
CVE-2025-66382

In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 2.9 LOW CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1.4 1.4

Products Affected

Vendor Product Version
libexpat_project libexpat *
CVE-2026-24515

In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 2.9 LOW CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1.4 1.4

Products Affected

Vendor Product Version
libexpat_project libexpat *
CVE-2026-25210

In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 6.9 MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L 1.4 5.5

Products Affected

Vendor Product Version
libexpat_project libexpat *
CVE-2026-32776

libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6
cve@mitre.org 4.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 2.5 1.4

Products Affected

Vendor Product Version
libexpat_project libexpat *
CVE-2026-32777

libexpat before 2.7.5 allows an infinite loop while parsing DTD content.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 4.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 2.5 1.4
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
libexpat_project libexpat *
CVE-2026-32778

libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 2.9 LOW CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1.4 1.4
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
libexpat_project libexpat *
CVE-2026-41080

libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
cve@mitre.org 2.9 LOW CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1.4 1.4

Products Affected

Vendor Product Version
libexpat_project libexpat *