An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
On 32-bit platforms where the value of UINT_MAX equals SIZE_MAX, an integer overflow occurs in the m_groupSize variable during XML document processing by the nextScaffoldPart function. The overflow can lead to improper memory operations, such as allocating a buffer that is too small or accessing beyond its boundaries. An attacker can provide a specially crafted XML document that triggers this flaw.
Successful exploitation of this vulnerability may allow an attacker to achieve remote code execution (RCE), compromise data confidentiality and integrity, and cause denial of service (DoS) in applications using the libexpat library on 32-bit platforms.
Update libexpat to version 2.6.3 or newer. Additional information about available patches for specific distributions and systems can be found in the vendor's references and in advisories from Debian LTS, NetApp, and Siemens.
Libexpat (libexpat Project) in versions prior to 2.6.3, on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLibexpat Project Libexpat
APPLibexpat Project< 2.6.3
Related vulnerabilities
Integer overflow w libexpat (dtdCopy) na platformach 32-bitowych
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for wh...
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into...
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a no...