CVE-2022-40303

HIGH EXPLOITED

libxml2 < 2.10.3 - Integer Overflow via XML_PARSE_HUGE Parser Option

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-40303 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.

References (13)

Core 13
Core References
Release Notes, Third Party Advisory
https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.10.3
Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2022/Dec/21
Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2022/Dec/25
Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2022/Dec/26
Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2022/Dec/24

Scores

CVSS v3 7.5
EPSS 0.0023
EPSS Percentile 45.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

VulnCheck KEV 2022-12-13
CWE
CWE-190
Status published
Products (17)
apple/ipados < 15.7.2
apple/iphone_os < 15.7.2
apple/macos 11.0 - 11.7.2
apple/tvos < 16.2
apple/watchos < 9.2
netapp/active_iq_unified_manager
netapp/clustered_data_ontap
netapp/clustered_data_ontap_antivirus_connector
netapp/h300s_firmware
netapp/h410c_firmware
... and 7 more
Published Nov 23, 2022
Tracked Since Feb 18, 2026