Search for packages
Package details: pkg:deb/debian/expat@2.2.6-2%2Bdeb10u4
purl pkg:deb/debian/expat@2.2.6-2%2Bdeb10u4
Next non-vulnerable version 2.5.0-1+deb12u2
Latest non-vulnerable version 2.5.0-1+deb12u2
Risk 4.5
Vulnerabilities affecting this package (24)
Vulnerability Summary Fixed by
VCID-38en-btnt-5bhw
Aliases:
CVE-2022-25314
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.
2.2.10-2+deb11u5
Affected by 9 other vulnerabilities.
VCID-3g24-e9ng-z7gx
Aliases:
CVE-2022-40674
A flaw in XML parsing could have led to a use-after-free causing a potentially exploitable crash.*In official releases of Firefox this vulnerability is mitigated by wasm sandboxing; versions managed by Linux distributions may have other settings.*
2.2.10-2+deb11u5
Affected by 9 other vulnerabilities.
VCID-47ja-wy36-m7ey
Aliases:
CVE-2022-25313
In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.
2.2.10-2+deb11u5
Affected by 9 other vulnerabilities.
VCID-7ry9-j4mj-9qbv
Aliases:
CVE-2022-22827
storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
2.2.10-2+deb11u5
Affected by 9 other vulnerabilities.
VCID-bfcc-wr6s-bbeb
Aliases:
CVE-2021-46143
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.
2.2.10-2+deb11u5
Affected by 9 other vulnerabilities.
VCID-d5kt-vj2g-2uf6
Aliases:
CVE-2022-23852
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
2.2.10-2+deb11u5
Affected by 9 other vulnerabilities.
VCID-dgs1-y858-hfhp
Aliases:
CVE-2024-50602
An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.
2.5.0-1+deb12u1
Affected by 5 other vulnerabilities.
2.5.0-1+deb12u2
Affected by 0 other vulnerabilities.
VCID-emb9-ht45-suej
Aliases:
CVE-2022-22824
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
2.2.10-2+deb11u5
Affected by 9 other vulnerabilities.
VCID-eymk-66au-wbfe
Aliases:
CVE-2022-22826
nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
2.2.10-2+deb11u5
Affected by 9 other vulnerabilities.
VCID-fsrs-93re-6bf3
Aliases:
CVE-2022-22823
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
2.2.10-2+deb11u5
Affected by 9 other vulnerabilities.
VCID-jk3t-c9pe-c3a1
Aliases:
CVE-2024-45491
An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
2.5.0-1+deb12u1
Affected by 5 other vulnerabilities.
VCID-p912-5aeb-xqdq
Aliases:
CVE-2022-22822
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
2.2.10-2+deb11u5
Affected by 9 other vulnerabilities.
VCID-phjj-j9b4-w7ft
Aliases:
CVE-2023-52425
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.
2.5.0-1+deb12u1
Affected by 5 other vulnerabilities.
2.5.0-1+deb12u2
Affected by 0 other vulnerabilities.
VCID-q4dm-bt19-nqb3
Aliases:
CVE-2022-25236
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.
2.2.10-2+deb11u5
Affected by 9 other vulnerabilities.
VCID-q5fr-c58g-sfeb
Aliases:
CVE-2022-25315
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.
2.2.10-2+deb11u5
Affected by 9 other vulnerabilities.
VCID-qjez-wwmn-nfed
Aliases:
CVE-2024-45490
An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.
2.5.0-1+deb12u1
Affected by 5 other vulnerabilities.
VCID-um4b-36qj-g7fm
Aliases:
CVE-2024-45492
An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
2.5.0-1+deb12u1
Affected by 5 other vulnerabilities.
VCID-uz2p-4rh7-pbcw
Aliases:
DSA-5085-2 expat
regression update
2.2.10-2+deb11u5
Affected by 9 other vulnerabilities.
VCID-vk74-susn-mqfq
Aliases:
CVE-2022-22825
lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
2.2.10-2+deb11u5
Affected by 9 other vulnerabilities.
VCID-xauk-rmhq-cuh2
Aliases:
CVE-2019-15903
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early. A subsequent call to XML_GetCurrentLineNumber or XML_GetCurrentColumnNumber then resulted in a heap-based buffer over-read.
2.2.10-2+deb11u5
Affected by 9 other vulnerabilities.
VCID-y4x5-nuu2-rbcv
Aliases:
CVE-2022-43680
In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.
2.2.10-2+deb11u5
Affected by 9 other vulnerabilities.
VCID-yekb-k4pt-3qea
Aliases:
CVE-2021-45960
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
2.2.10-2+deb11u5
Affected by 9 other vulnerabilities.
VCID-yf5j-7dnb-5ydf
Aliases:
CVE-2022-25235
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
2.2.10-2+deb11u5
Affected by 9 other vulnerabilities.
VCID-zdee-murq-j7ay
Aliases:
CVE-2022-23990
Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.
2.2.10-2+deb11u5
Affected by 9 other vulnerabilities.
Vulnerabilities fixed by this package (19)
Vulnerability Summary Aliases
VCID-38en-btnt-5bhw In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString. CVE-2022-25314
VCID-47ja-wy36-m7ey In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. CVE-2022-25313
VCID-7ry9-j4mj-9qbv storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2022-22827
VCID-bfcc-wr6s-bbeb In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize. CVE-2021-46143
VCID-d5kt-vj2g-2uf6 Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES. CVE-2022-23852
VCID-emb9-ht45-suej defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2022-22824
VCID-eymk-66au-wbfe nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2022-22826
VCID-fsrs-93re-6bf3 build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2022-22823
VCID-mfbg-qmnn-cbbw CVE-2017-9233
VCID-p912-5aeb-xqdq addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2022-22822
VCID-q4dm-bt19-nqb3 xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. CVE-2022-25236
VCID-q5fr-c58g-sfeb In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. CVE-2022-25315
VCID-up6m-s5s7-rfft In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). CVE-2018-20843
VCID-uz2p-4rh7-pbcw regression update DSA-5085-2 expat
VCID-vk74-susn-mqfq lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2022-22825
VCID-xauk-rmhq-cuh2 In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early. A subsequent call to XML_GetCurrentLineNumber or XML_GetCurrentColumnNumber then resulted in a heap-based buffer over-read. CVE-2019-15903
VCID-yekb-k4pt-3qea In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory). CVE-2021-45960
VCID-yf5j-7dnb-5ydf xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. CVE-2022-25235
VCID-zdee-murq-j7ay Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function. CVE-2022-23990

Date Actor Action Vulnerability Source VulnerableCode Version
2025-08-01T20:12:42.124013+00:00 Debian Oval Importer Affected by VCID-xauk-rmhq-cuh2 https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T19:56:45.229061+00:00 Debian Oval Importer Affected by VCID-3g24-e9ng-z7gx https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T18:38:24.999530+00:00 Debian Oval Importer Fixing VCID-mfbg-qmnn-cbbw https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T17:55:15.925147+00:00 Debian Oval Importer Affected by VCID-p912-5aeb-xqdq https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T17:42:55.747190+00:00 Debian Oval Importer Affected by VCID-phjj-j9b4-w7ft https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T17:34:12.698965+00:00 Debian Oval Importer Affected by VCID-qjez-wwmn-nfed https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T17:22:05.524029+00:00 Debian Oval Importer Affected by VCID-7ry9-j4mj-9qbv https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T16:20:34.616027+00:00 Debian Oval Importer Affected by VCID-um4b-36qj-g7fm https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T15:38:55.671098+00:00 Debian Oval Importer Affected by VCID-emb9-ht45-suej https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T15:37:38.014979+00:00 Debian Oval Importer Affected by VCID-vk74-susn-mqfq https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T15:37:12.295286+00:00 Debian Oval Importer Affected by VCID-yf5j-7dnb-5ydf https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T15:13:29.003051+00:00 Debian Oval Importer Affected by VCID-47ja-wy36-m7ey https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T15:09:02.889710+00:00 Debian Oval Importer Affected by VCID-q4dm-bt19-nqb3 https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T14:28:23.673185+00:00 Debian Oval Importer Affected by VCID-fsrs-93re-6bf3 https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T14:20:29.073626+00:00 Debian Oval Importer Affected by VCID-y4x5-nuu2-rbcv https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T14:18:57.494490+00:00 Debian Oval Importer Affected by VCID-uz2p-4rh7-pbcw https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T14:13:49.382435+00:00 Debian Oval Importer Affected by VCID-jk3t-c9pe-c3a1 https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T14:06:04.743327+00:00 Debian Oval Importer Affected by VCID-bfcc-wr6s-bbeb https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T13:44:41.821985+00:00 Debian Oval Importer Affected by VCID-dgs1-y858-hfhp https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T13:36:06.984644+00:00 Debian Oval Importer Affected by VCID-38en-btnt-5bhw https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T13:34:52.631669+00:00 Debian Oval Importer Affected by VCID-zdee-murq-j7ay https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T13:23:38.761978+00:00 Debian Oval Importer Affected by VCID-q5fr-c58g-sfeb https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T13:16:40.127678+00:00 Debian Oval Importer Affected by VCID-d5kt-vj2g-2uf6 https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T13:04:30.491123+00:00 Debian Oval Importer Affected by VCID-yekb-k4pt-3qea https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T11:56:05.650334+00:00 Debian Oval Importer Fixing VCID-up6m-s5s7-rfft https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T11:53:13.421837+00:00 Debian Oval Importer Affected by VCID-eymk-66au-wbfe https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-08-01T11:45:49.484100+00:00 Debian Oval Importer Fixing VCID-q4dm-bt19-nqb3 https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 37.0.0
2025-08-01T11:42:31.385398+00:00 Debian Oval Importer Fixing VCID-47ja-wy36-m7ey https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 37.0.0
2025-08-01T11:40:39.095646+00:00 Debian Oval Importer Fixing VCID-p912-5aeb-xqdq https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 37.0.0
2025-08-01T11:39:07.912868+00:00 Debian Oval Importer Fixing VCID-yf5j-7dnb-5ydf https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 37.0.0
2025-08-01T11:38:35.636923+00:00 Debian Oval Importer Fixing VCID-uz2p-4rh7-pbcw https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 37.0.0
2025-08-01T11:37:03.494139+00:00 Debian Oval Importer Fixing VCID-bfcc-wr6s-bbeb https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 37.0.0
2025-08-01T11:33:56.694581+00:00 Debian Oval Importer Fixing VCID-yekb-k4pt-3qea https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 37.0.0
2025-08-01T11:29:57.409961+00:00 Debian Oval Importer Fixing VCID-eymk-66au-wbfe https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 37.0.0
2025-08-01T11:25:22.379865+00:00 Debian Oval Importer Fixing VCID-38en-btnt-5bhw https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 37.0.0
2025-08-01T11:23:34.514591+00:00 Debian Oval Importer Fixing VCID-zdee-murq-j7ay https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 37.0.0
2025-08-01T11:21:56.500291+00:00 Debian Oval Importer Fixing VCID-vk74-susn-mqfq https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 37.0.0
2025-08-01T11:21:54.314840+00:00 Debian Oval Importer Fixing VCID-d5kt-vj2g-2uf6 https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 37.0.0
2025-08-01T11:20:00.868531+00:00 Debian Oval Importer Fixing VCID-fsrs-93re-6bf3 https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 37.0.0
2025-08-01T11:15:50.923862+00:00 Debian Oval Importer Fixing VCID-xauk-rmhq-cuh2 https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 37.0.0
2025-08-01T11:15:37.478638+00:00 Debian Oval Importer Fixing VCID-emb9-ht45-suej https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 37.0.0
2025-08-01T11:12:33.095413+00:00 Debian Oval Importer Fixing VCID-7ry9-j4mj-9qbv https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 37.0.0
2025-08-01T11:12:11.131931+00:00 Debian Oval Importer Fixing VCID-q5fr-c58g-sfeb https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 37.0.0