PT-2022-1766 · Expat+13 · Expat+13

Published

2022-02-15

·

Updated

2026-05-27

·

CVE-2022-25236

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Expat (aka libexpat) versions prior to 2.4.5
Description The issue is related to insufficient input validation in the xmlparse.c component of the Expat library, allowing attackers to insert namespace-separator characters into namespace URIs. This can be exploited by a remote attacker to cause a denial of service (DoS) by sending a specially crafted request. The vulnerability can also potentially allow an attacker to execute arbitrary code on the system by persuading a victim to open a specially-crafted file.
Recommendations For Expat (aka libexpat) versions prior to 2.4.5, update to version 2.4.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of the xmlparse.c component until a patch is available. Avoid using the vulnerable component to parse untrusted XML files until the issue is resolved. At the moment, there is no other information about additional mitigation measures.

Fix

DoS

Exposure of Resource to Wrong Sphere

Weakness Enumeration

CWE-668

Related Identifiers

ALSA-2022:0818
ALSA-2022:0845
ALSA-2022:0951
ALSA-2022:7811
ALT-PU-2022-1348
ALT-PU-2022-1453
ALT-PU-2023-4107
ALT-PU-2023-4120
ALT-PU-2023-4144
AZL-8604
BDU:2022-01065
CESA-2022_0818
CESA-2022_0824
CESA-2022_0845
CESA-2022_0850
CESA-2022_0951
CESA-2022_1069
CESA-2022_7811
CLEANSTART-2026-EM10970
CLEANSTART-2026-MH09144
CLEANSTART-2026-YT18139
CVE-2022-25236
DLA-2935-1
DSA-5085-1
DSA-5085-2
MGASA-2022-0081
MGASA-2022-0156
MGASA-2022-0157
OESA-2022-1554
OESA-2022-1588
OESA-2022-2057
OESA-2022-2085
OPENSUSE-SU-2022:0713-1
OPENSUSE-SU-2022:0844-1
OPENSUSE-SU-2022_0713-1
OPENSUSE-SU-2022_0844-1
OPENSUSE-SU-2022_2294-1
OPENSUSE-SU-2024:11866-1
OPENSUSE-SU-2024:12150-1
OPENSUSE-SU-2024:12152-1
OPENSUSE-SU-2024:12336-1
OPENSUSE-SU-2024:12341-1
OPENSUSE-SU-2024:12622-1
OPENSUSE-SU-2024:12910-1
OPENSUSE-SU-2024:14109-1
OPENSUSE-SU-2024:14434-1
OPENSUSE-SU-2024_0784-1
OPENSUSE-SU-2025:15713-1
RHSA-2022:0815
RHSA-2022:0816
RHSA-2022:0817
RHSA-2022:0818
RHSA-2022:0824
RHSA-2022:0843
RHSA-2022:0845
RHSA-2022:0847
RHSA-2022:0850
RHSA-2022:0853
RHSA-2022:0951
RHSA-2022:1012
RHSA-2022:1053
RHSA-2022:1068
RHSA-2022:1069
RHSA-2022:1070
RHSA-2022:1263
RHSA-2022:1309
RHSA-2022:7811
RHSA-2022_0818
RHSA-2022_0824
RHSA-2022_0845
RHSA-2022_0850
RHSA-2022_0951
RHSA-2022_1069
RHSA-2022_1309
RHSA-2022_7811
RLSA-2022:0818
RLSA-2022:0845
RLSA-2022:0951
SUSE-SU-2022:0698-1
SUSE-SU-2022:0713-1
SUSE-SU-2022:0842-1
SUSE-SU-2022:0844-1
SUSE-SU-2022:0844-2
SUSE-SU-2022:14903-1
SUSE-SU-2022:14934-1
SUSE-SU-2022:2294-1
SUSE-SU-2022_0842-1
SUSE-SU-2022_0844-1
SUSE-SU-2022_14903-1
SUSE-SU-2022_14934-1
SUSE-SU-2024:0782-1
SUSE-SU-2024:0782-2
SUSE-SU-2024:0784-1
SUSE-SU-2024_0782-1
SUSE-SU-2024_0782-2
SUSE-SU-2024_0784-1
SUSE-SU-2025:20025-1
SUSE-SU-2025:20154-1
SUSE-SU-2025:20374-1
USN-5288-1
USN-5455-1
USN-8235-1
USN-8240-1
USN-8241-1
USN-8313-1
USN-8314-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Debian
Expat
Ibm Aix
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Zvirt Node