An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
On 32-bit platforms, where UINT_MAX equals SIZE_MAX, the dtdCopy function during the copying of DTD definitions can cause an integer overflow for the nDefaultAtts variable. This overflow can result in incorrect calculation of allocated memory size, which consequently leads to memory corruption of the process handling XML data.
An attacker can remotely, without authentication, cause arbitrary code execution (RCE), disclosure of sensitive data, or denial of service (DoS) in an application using a vulnerable version of the libexpat library.
The libexpat library should be updated to version 2.6.3 or later. Users of Debian distribution and NetApp and Siemens systems should apply patches available in the appropriate distribution channels according to vendor references.
Libexpat (libexpat Project) in versions before 2.6.3, running on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLibexpat Project Libexpat
APPLibexpat Project< 2.6.3
Related vulnerabilities
Integer overflow w libexpat β podatnoΕΔ w nextScaffoldPart na platformach 32-bitowych
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for wh...
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into...
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a no...