Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.

🗓️ 01 Feb 2022 08:00:00Reported by MicrosoftType

mscve

mscve🔗 msrc.microsoft.com👁 2 Views

Expat (libexpat) before 2.4.4 has an integer overflow in the doProlog function.

Reporter	Title	Published	Views	Family All 248
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On due to Expat vulnerabilities	11 Apr 202202:48	–	ibm
IBM Security Bulletins	Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from Expat, SQlite, libxml2, Libksba, zlib and GnuTLS	30 Nov 202208:48	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Expat (AKA libexpat) affect IBM Storage Protect for Virtual Environments: Data Protection for VMware (CVE-2022-23852, CVE-2022-23990)	11 Oct 202314:40	–	ibm
IBM Security Bulletins	Security Bulletin: Expat vulnerabilities affect IBM Netezza Analytics for NPS	3 Jun 202214:32	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in Expat component shipped with IBM Rational ClearCase ( CVE-2022-23852, CVE-2022-23990, CVE-2022-25235, CVE-2022-25315 )	25 Jul 202214:50	–	ibm
IBM Security Bulletins	Security Bulletin: security vulnerabilities are addressed with IBM Business Automation Insights iFixes for April 2026.	5 May 202621:39	–	ibm
IBM Security Bulletins	Security Bulletin: Security vulnerabilities may affect IBM WebSphere Liberty and Expat that are shipped with IBM CICS TX Standard.	24 Mar 202613:54	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities are addressed with Cloud Pak foundational services 4.17.0 shipped with IBM Cloud Pak for Business Automation iFixes for April 2026	27 May 202609:11	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server	30 Dec 202217:31	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities are addressed with Cloud Pak foundational services before 4.6.20 shipped with IBM Cloud Pak for Business Automation iFixes for January 2026.	17 Mar 202617:38	–	ibm

Vulners

Node

microsoft cbl2_expat_2.4.8-1Range<2.4.8-1

OR

microsoft cm1_expat_2.4.4-1Range<2.4.4-1

01 Feb 2022 08:00Current

7.1High risk

Vulners AI Score7.1

CVSS 25

CVSS 3.17.5

EPSS0.037

SSVC

expat library integer overflow doProlog function