CVE-2022-40303

CVSS v2.0

8.5

High

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:C

Name of the Vulnerable Software and Affected Versions libxml2 versions prior to 2.10.3

Description The issue is related to an integer overflow in the xmlParseNameComplex() function of the libxml2 library when parsing XML documents with the XML PARSE HUGE parser option enabled. This can lead to an attempt to access an array at a negative offset, typically resulting in a segmentation fault. A remote attacker could exploit this issue to execute arbitrary code on the system by persuading a victim to open a specially-crafted file.

Recommendations For libxml2 versions prior to 2.10.3, update to version 2.10.3 or later to resolve the issue. As a temporary workaround, consider disabling the XML PARSE HUGE parser option when parsing XML documents to minimize the risk of exploitation. Restrict access to the xmlParseNameComplex() function until a patch is available. Avoid using the XML PARSE HUGE option in the affected API endpoint until the issue is resolved.

Fix

DoS

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-190

Related Identifiers

ALSA-2023:0173

ALSA-2023:0338

ALT-PU-2022-2865

ALT-PU-2022-3377

ALT-PU-2023-1172

ALT-PU-2023-1234

AZL-11471

BDU:2022-06701

CESA-2023_0173

CVE-2022-40303

DLA-3172-1

DSA-5271-1

MGASA-2022-0412

OESA-2022-2080

OESA-2022-2081

OESA-2022-2082

OPENSUSE-SU-2022_3692-1

OPENSUSE-SU-2022_3871-1

OPENSUSE-SU-2024:12419-1

RHSA-2023:0173

RHSA-2023:0338

RHSA-2023_0173

RHSA-2023_0338

RHSA-2024:0413

RLSA-2023:0173

RLSA-2023:0338

SUSE-SU-2022:3692-1

SUSE-SU-2022:3717-1

SUSE-SU-2022:3871-1

SUSE-SU-2022_3692-1

USN-5760-1

USN-5760-2

USN-7659-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Ibm Aix

Linuxmint

Apple Macos

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

Libxml2

CVE-2022-40303

Weakness Enumeration

Related Identifiers

Affected Products

References · 118