libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur, and it is part of a larger set of vulnerabilities including out-of-bounds write, missing control flow integrity checks, and integer overflow.
| Vendor | Product | Versions |
|---|---|---|
| libexpat_project | libexpat | 0 |
Downstream vendors/products affected by this vulnerability
| Vendor | Product | Source | Confidence |
|---|---|---|---|
| open source | expat | cert_advisory | 90% |
Updated severity to HIGH, marked as actively exploited and exploit available, and provided a more detailed description of the vulnerability.
Updated affected versions to include 2.8.1, changed severity to CRITICAL, and noted that there is no available exploit.
Initial creation
