CVE-2022-40303

2022-11-2300:15:11

Google

osv.dev

libxml2

xml parsing

integer overflow

segmentation fault

software vulnerability

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.046 Low

EPSS

Percentile

92.6%

JSON

An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.

CPENameOperatorVersion
libxml2eq2.7.8-r1
libxml2eq2.9.10-r4
libxml2eq2.9.6-r0
libxml2eqLIBXML_2_4_4
libxml2eq2.7.6-r3
libxml2eqPRE_MUCKUP2
libxml2eqLIBXML_2_4_12
libxml2eq2.9.10-r5
libxml2eqLIBXML_2_4_25
libxml2eq2.7.8-r2

Name	Operator	Version
libxml2	eq	2.7.8-r1
libxml2	eq	2.9.10-r4
libxml2	eq	2.9.6-r0
libxml2	eq	LIBXML_2_4_4
libxml2	eq	2.7.6-r3
libxml2	eq	PRE_MUCKUP2
libxml2	eq	LIBXML_2_4_12
libxml2	eq	2.9.10-r5
libxml2	eq	LIBXML_2_4_25
libxml2	eq	2.7.8-r2