CVE-2022-40674

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2022-40674
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-09-14 11:15:00 UTC
Updated2023-11-07 03:52:00 UTC
Descriptionlibexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.

Risk And Classification

Problem Types: CWE-416

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Debian Debian Linux 10.0 All All All
Operating System Debian Debian Linux 11.0 All All All
Operating System Fedoraproject Fedora 35 All All All
Operating System Fedoraproject Fedora 36 All All All
Operating System Fedoraproject Fedora 37 All All All
Application Libexpat Project Libexpat All All All All

References

ReferenceSourceLinkTags
[SECURITY] Fedora 36 Update: expat-2.4.9-1.fc36 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] [DLA 3119-1] expat security update MLIST lists.debian.org
[SECURITY] Fedora 35 Update: mingw-expat-2.4.9-1.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 37 Update: mingw-expat-2.4.9-1.fc37 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 36 Update: expat-2.4.9-1.fc36 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
Mozilla Firefox: Multiple Vulnerabilities (GLSA 202211-06) — Gentoo security GENTOO security.gentoo.org
Debian -- Security Information -- DSA-5236-1 expat DEBIAN www.debian.org
[SECURITY] Fedora 35 Update: expat-2.4.9-1.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 36 Update: mingw-expat-2.4.9-1.fc36 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
Ensure raw tagnames are safe exiting internalEntityParser by RMJ10 · Pull Request #629 · libexpat/libexpat · GitHub MISC github.com
[SECURITY] Fedora 36 Update: mingw-expat-2.4.9-1.fc36 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 35 Update: expat-2.4.9-1.fc35 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 35 Update: mingw-expat-2.4.9-1.fc35 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
CVE-2022-40674 libexpat Vulnerability in NetApp Products | NetApp Product Security CONFIRM security.netapp.com
Expat: Multiple Vulnerabilities (GLSA 202209-24) — Gentoo security GENTOO security.gentoo.org
[SECURITY] Fedora 37 Update: mingw-expat-2.4.9-1.fc37 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
tests: Cover heap use-after-free issue in doContent (follow-up to #629) by hartwork · Pull Request #640 · libexpat/libexpat · GitHub MISC github.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 160131 Oracle Enterprise Linux Security Update for expat (ELSA-2022-6838)
  • 160133 Oracle Enterprise Linux Security Update for expat (ELSA-2022-6834)
  • 160138 Oracle Enterprise Linux Security Update for expat (ELSA-2022-6878)
  • 160145 Oracle Enterprise Linux Security Update for thunderbird (ELSA-2022-7026)
  • 160146 Oracle Enterprise Linux Security Update for firefox (ELSA-2022-7020)
  • 160148 Oracle Enterprise Linux Security Update for firefox (ELSA-2022-7024)
  • 160149 Oracle Enterprise Linux Security Update for thunderbird (ELSA-2022-7023)
  • 160180 Oracle Enterprise Linux Security Update for thunderbird (ELSA-2022-6998)
  • 160182 Oracle Enterprise Linux Security Update for firefox (ELSA-2022-6997)
  • 160188 Oracle Enterprise Linux Security Update for expat (ELSA-2022-9962)
  • 160189 Oracle Enterprise Linux Security Update for compat-expat1 (ELSA-2022-9967)
  • 181073 Debian Security Update for expat (DSA 5236-1)
  • 181130 Debian Security Update for expat (DLA 3119-1)
  • 183854 Debian Security Update for expat (CVE-2022-40674)
  • 199028 Ubuntu Security Notification for Firefox Vulnerabilities (USN-5726-1)
  • 199034 Ubuntu Security Notification for Expat Vulnerabilities (USN-5638-2)
  • 199586 Ubuntu Security Notification for Expat Vulnerabilities (USN-5638-4)
  • 20320 IBM DB2 Multiple Vulnerabilities (6847293)
  • 240714 Red Hat Update for expat (RHSA-2022:6834)
  • 240716 Red Hat Update for expat (RHSA-2022:6832)
  • 240717 Red Hat Update for expat (RHSA-2022:6831)
  • 240718 Red Hat Update for expat (RHSA-2022:6838)
  • 240721 Red Hat Update for expat (RHSA-2022:6878)
  • 240733 Red Hat Update for thunderbird (RHSA-2022:6995)
  • 240735 Red Hat Update for thunderbird (RHSA-2022:6998)
  • 240739 Red Hat Update for firefox (RHSA-2022:7022)
  • 240740 Red Hat Update for firefox (RHSA-2022:7024)
  • 240741 Red Hat Update for thunderbird (RHSA-2022:7023)
  • 240742 Red Hat Update for firefox (RHSA-2022:7020)
  • 240743 Red Hat Update for thunderbird (RHSA-2022:7026)
  • 240744 Red Hat Update for thunderbird (RHSA-2022:6996)
  • 240745 Red Hat Update for firefox (RHSA-2022:6997)
  • 240746 Red Hat Update for firefox (RHSA-2022:7025)
  • 257199 CentOS Security Update for expat (CESA-2022:6834)
  • 283180 Fedora Security Update for expat (FEDORA-2022-15ec504440)
  • 283208 Fedora Security Update for expat (FEDORA-2022-c68d90efc3)
  • 283259 Fedora Security Update for mingw (FEDORA-2022-c22feb71ba)
  • 283260 Fedora Security Update for mingw (FEDORA-2022-d93b3bd8b9)
  • 283462 Fedora Security Update for mingw (FEDORA-2022-dcb1d7bcb1)
  • 296086 Oracle Solaris 11.4 Support Repository Update (SRU) 51.132.1 Missing (CPUOCT2022)
  • 296098 Oracle Solaris 11.4 Support Repository Update (SRU) 52.132.2 Missing (CPUOCT2022)
  • 330125 IBM AIX Multiple Vulnerabilities in Python (python_advisory2)
  • 354103 Amazon Linux Security Advisory for expat : ALAS2-2022-1877
  • 354131 Amazon Linux Security Advisory for thunderbird : ALAS2-2022-1900
  • 354248 Amazon Linux Security Advisory for expat : ALAS-2022-1654
  • 354280 Amazon Linux Security Advisory for expat : ALAS2022-2022-259
  • 354426 Amazon Linux Security Advisory for expat : ALAS-2022-259
  • 354528 Amazon Linux Security Advisory for expat : ALAS-2022-259
  • 354565 Amazon Linux Security Advisory for expat : ALAS-2022-259
  • 355281 Amazon Linux Security Advisory for expat : ALAS2023-2023-058
  • 356274 Amazon Linux Security Advisory for firefox : ALASFIREFOX-2023-010
  • 356488 Amazon Linux Security Advisory for firefox : ALAS2FIREFOX-2023-010
  • 377621 Alibaba Cloud Linux Security Update for expat (ALINUX2-SA-2022:0041)
  • 377714 Alibaba Cloud Linux Security Update for expat (ALINUX3-SA-2022:0169)
  • 377731 F5 BIG-IP Expat Vulnerability cve-2022-40674 (K44454157)
  • 377768 Mozilla Firefox Multiple Vulnerabilities (MFSA2022-47)
  • 377882 IBM Hypertext Transfer Protocol Server (HTTP Server) Remote Code Execution (RCE) Vulnerability (6827119)
  • 378337 IBM Tivoli Monitoring Remote Code Execution (RCE) Vulnerability (6826711)
  • 378492 Apache Open Office Multiple Vulnerabilities
  • 378514 Alibaba Cloud Linux Security Update for mingw-expat (ALINUX3-SA-2023:0043)
  • 390283 Oracle Managed Virtualization (VM) Server for x86 Security Update for expat (OVMSA-2023-0009)
  • 502508 Alpine Linux Security Update for expat
  • 502509 Alpine Linux Security Update for expat
  • 503917 Alpine Linux Security Update for expat
  • 6140116 AWS Bottlerocket Security Update for libexpat (GHSA-xvff-wcqg-jj26)
  • 672371 EulerOS Security Update for expat (EulerOS-SA-2022-2762)
  • 672398 EulerOS Security Update for expat (EulerOS-SA-2022-2727)
  • 672418 EulerOS Security Update for expat (EulerOS-SA-2022-2794)
  • 672452 EulerOS Security Update for expat (EulerOS-SA-2022-2819)
  • 672453 EulerOS Security Update for expat (EulerOS-SA-2022-2844)
  • 672728 EulerOS Security Update for expat (EulerOS-SA-2023-1501)
  • 690945 Free Berkeley Software Distribution (FreeBSD) Security Update for expat (0a0670a1-3e1a-11ed-b48b-e0d55e2a8bf9)
  • 710626 Gentoo Linux Expat Multiple Vulnerabilities (GLSA 202209-24)
  • 710686 Gentoo Linux Mozilla Firefox Multiple Vulnerabilities (GLSA 202211-06)
  • 730816 Skyhigh (McAfee) Web Gateway Security Update for expat
  • 752638 SUSE Enterprise Linux Security Update for expat (SUSE-SU-2022:3466-1)
  • 752644 SUSE Enterprise Linux Security Update for expat (SUSE-SU-2022:3489-1)
  • 752678 SUSE Enterprise Linux Security Update for expat (SUSE-SU-2022:3597-1)
  • 87525 IBM HTTP Server Remote Code Execution (RCE) Vulnerability (6827119)
  • 903901 Common Base Linux Mariner (CBL-Mariner) Security Update for expat (10944)
  • 903936 Common Base Linux Mariner (CBL-Mariner) Security Update for expat (10921)
  • 904045 Common Base Linux Mariner (CBL-Mariner) Security Update for expat (10921-1)
  • 904082 Common Base Linux Mariner (CBL-Mariner) Security Update for expat (10944-1)
  • 904948 Common Base Linux Mariner (CBL-Mariner) Security Update for cmake (12307)
  • 904949 Common Base Linux Mariner (CBL-Mariner) Security Update for python3 (12414)
  • 905092 Common Base Linux Mariner (CBL-Mariner) Security Update for python3 (12611)
  • 905144 Common Base Linux Mariner (CBL-Mariner) Security Update for cmake (12468)
  • 940659 AlmaLinux Security Update for expat (ALSA-2022:6838)
  • 940664 AlmaLinux Security Update for expat (ALSA-2022:6878)
  • 940687 AlmaLinux Security Update for thunderbird (ALSA-2022:7023)
  • 940689 AlmaLinux Security Update for firefox (ALSA-2022:7024)
  • 940696 AlmaLinux Security Update for firefox (ALSA-2022:7020)
  • 940698 AlmaLinux Security Update for thunderbird (ALSA-2022:7026)
  • 941071 AlmaLinux Security Update for mingw-expat (ALSA-2023:3068)
  • 960312 Rocky Linux Security Update for firefox (RLSA-2022:7024)
  • 960358 Rocky Linux Security Update for expat (RLSA-2022:6878)
  • 960457 Rocky Linux Security Update for thunderbird (RLSA-2022:7023)
  • 960516 Rocky Linux Security Update for expat (RLSA-2022:6838)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report