PT-2022-1754 · Expat+12 · Expat+12

Hartwork

·

Published

2022-01-06

·

Updated

2026-04-01

·

CVE-2021-46143

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Expat versions prior to 2.4.3
Description The issue is related to an integer overflow in the doProlog function of the xmlparse.c file in the Expat library. This could allow a remote attacker to impact the confidentiality, integrity, and availability of protected information. The vulnerability exists due to an integer overflow for m groupSize.
Recommendations For versions prior to 2.4.3, update to version 2.4.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the doProlog function in xmlparse.c until a patch is available. Avoid using the m groupSize variable in the affected function to minimize the risk of exploitation.

Exploit

Fix

DoS

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-190

Related Identifiers

ALSA-2022:0951
ALSA-2022:7692
ALT-PU-2022-1072
ALT-PU-2022-1130
ALT-PU-2022-1176
ALT-PU-2023-4107
AZL-7155
BDU:2022-01052
CESA-2022_0951
CESA-2022_1069
CESA-2022_7692
CLEANSTART-2026-EM10970
CLEANSTART-2026-MH09144
CLEANSTART-2026-YT18139
CVE-2021-46143
DLA-2904-1
DSA-5073-1
MGASA-2022-0031
OESA-2022-1490
OESA-2023-1464
OESA-2023-1465
OPENSUSE-SU-2022:0178-1
OPENSUSE-SU-2022_0178-1
OPENSUSE-SU-2024:11762-1
RHSA-2022:0951
RHSA-2022:1069
RHSA-2022:7692
RHSA-2022_0951
RHSA-2022_1069
RHSA-2022_7692
RLSA-2022:0951
RLSA-2022:7692
SUSE-SU-2022:0178-1
SUSE-SU-2022:0179-1
SUSE-SU-2022:14878-1
USN-5288-1
USN-5455-1
USN-7199-1
USN-7913-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Debian
Expat
Ibm Aix
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu