Search for vulnerabilities
Vulnerability details: VCID-3g24-e9ng-z7gx
Vulnerability ID VCID-3g24-e9ng-z7gx
Aliases CVE-2022-40674
Summary A flaw in XML parsing could have led to a use-after-free causing a potentially exploitable crash.*In official releases of Firefox this vulnerability is mitigated by wasm sandboxing; versions managed by Linux distributions may have other settings.*
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-416 Use After Free
System Score Found at
cvssv3 8.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40674.json
epss 0.00623 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00623 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00623 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00623 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00623 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00623 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
epss 0.00625 https://api.first.org/data/v1/epss?cve=CVE-2022-40674
cvssv3.1 8.1 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 8.1 https://github.com/libexpat/libexpat/pull/629
ssvc Track https://github.com/libexpat/libexpat/pull/629
cvssv3.1 8.1 https://github.com/libexpat/libexpat/pull/640
ssvc Track https://github.com/libexpat/libexpat/pull/640
cvssv3.1 8.1 https://lists.debian.org/debian-lts-announce/2022/09/msg00029.html
ssvc Track https://lists.debian.org/debian-lts-announce/2022/09/msg00029.html
cvssv3.1 8.1 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GSVZN3IJ6OCPSJL7AEX3ZHSHAHFOGESK/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GSVZN3IJ6OCPSJL7AEX3ZHSHAHFOGESK/
cvssv3.1 8.1 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J2IGJNHFV53PYST7VQV3T4NHVYAMXA36/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J2IGJNHFV53PYST7VQV3T4NHVYAMXA36/
cvssv3.1 8.1 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQB6FJAM5YQ35SF5B2MN25Y2FX56EOEZ/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQB6FJAM5YQ35SF5B2MN25Y2FX56EOEZ/
cvssv3.1 8.1 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2ZKEPGFCZ7R6DRVH3K6RBJPT42ZBEG/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2ZKEPGFCZ7R6DRVH3K6RBJPT42ZBEG/
cvssv3.1 8.1 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGBVQQ47URGJAZWHCISHDWF6QBTV2LE/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGBVQQ47URGJAZWHCISHDWF6QBTV2LE/
cvssv3.1 8.1 https://nvd.nist.gov/vuln/detail/CVE-2022-40674
archlinux Unknown https://security.archlinux.org/AVG-2815
cvssv3.1 8.1 https://security.gentoo.org/glsa/202209-24
ssvc Track https://security.gentoo.org/glsa/202209-24
cvssv3.1 8.1 https://security.gentoo.org/glsa/202211-06
ssvc Track https://security.gentoo.org/glsa/202211-06
cvssv3.1 8.1 https://security.netapp.com/advisory/ntap-20221028-0008/
ssvc Track https://security.netapp.com/advisory/ntap-20221028-0008/
cvssv3.1 8.1 https://www.debian.org/security/2022/dsa-5236
ssvc Track https://www.debian.org/security/2022/dsa-5236
generic_textual high https://www.mozilla.org/en-US/security/advisories/mfsa2022-47
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40674.json
https://api.first.org/data/v1/epss?cve=CVE-2022-40674
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40674
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1019761 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019761
202209-24 https://security.gentoo.org/glsa/202209-24
202211-06 https://security.gentoo.org/glsa/202211-06
2130769 https://bugzilla.redhat.com/show_bug.cgi?id=2130769
629 https://github.com/libexpat/libexpat/pull/629
640 https://github.com/libexpat/libexpat/pull/640
AVG-2815 https://security.archlinux.org/AVG-2815
cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
CVE-2022-40674 https://nvd.nist.gov/vuln/detail/CVE-2022-40674
dsa-5236 https://www.debian.org/security/2022/dsa-5236
GSVZN3IJ6OCPSJL7AEX3ZHSHAHFOGESK https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GSVZN3IJ6OCPSJL7AEX3ZHSHAHFOGESK/
J2IGJNHFV53PYST7VQV3T4NHVYAMXA36 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J2IGJNHFV53PYST7VQV3T4NHVYAMXA36/
LQB6FJAM5YQ35SF5B2MN25Y2FX56EOEZ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQB6FJAM5YQ35SF5B2MN25Y2FX56EOEZ/
mfsa2022-47 https://www.mozilla.org/en-US/security/advisories/mfsa2022-47
msg00029.html https://lists.debian.org/debian-lts-announce/2022/09/msg00029.html
ntap-20221028-0008 https://security.netapp.com/advisory/ntap-20221028-0008/
RHSA-2022:6831 https://access.redhat.com/errata/RHSA-2022:6831
RHSA-2022:6832 https://access.redhat.com/errata/RHSA-2022:6832
RHSA-2022:6833 https://access.redhat.com/errata/RHSA-2022:6833
RHSA-2022:6834 https://access.redhat.com/errata/RHSA-2022:6834
RHSA-2022:6838 https://access.redhat.com/errata/RHSA-2022:6838
RHSA-2022:6878 https://access.redhat.com/errata/RHSA-2022:6878
RHSA-2022:6921 https://access.redhat.com/errata/RHSA-2022:6921
RHSA-2022:6967 https://access.redhat.com/errata/RHSA-2022:6967
RHSA-2022:6995 https://access.redhat.com/errata/RHSA-2022:6995
RHSA-2022:6996 https://access.redhat.com/errata/RHSA-2022:6996
RHSA-2022:6997 https://access.redhat.com/errata/RHSA-2022:6997
RHSA-2022:6998 https://access.redhat.com/errata/RHSA-2022:6998
RHSA-2022:7019 https://access.redhat.com/errata/RHSA-2022:7019
RHSA-2022:7020 https://access.redhat.com/errata/RHSA-2022:7020
RHSA-2022:7021 https://access.redhat.com/errata/RHSA-2022:7021
RHSA-2022:7022 https://access.redhat.com/errata/RHSA-2022:7022
RHSA-2022:7023 https://access.redhat.com/errata/RHSA-2022:7023
RHSA-2022:7024 https://access.redhat.com/errata/RHSA-2022:7024
RHSA-2022:7025 https://access.redhat.com/errata/RHSA-2022:7025
RHSA-2022:7026 https://access.redhat.com/errata/RHSA-2022:7026
RHSA-2022:8598 https://access.redhat.com/errata/RHSA-2022:8598
RHSA-2022:8841 https://access.redhat.com/errata/RHSA-2022:8841
RHSA-2023:3068 https://access.redhat.com/errata/RHSA-2023:3068
USN-5638-1 https://usn.ubuntu.com/5638-1/
USN-5638-2 https://usn.ubuntu.com/5638-2/
USN-5638-4 https://usn.ubuntu.com/5638-4/
USN-5726-1 https://usn.ubuntu.com/5726-1/
WE2ZKEPGFCZ7R6DRVH3K6RBJPT42ZBEG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2ZKEPGFCZ7R6DRVH3K6RBJPT42ZBEG/
XCGBVQQ47URGJAZWHCISHDWF6QBTV2LE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGBVQQ47URGJAZWHCISHDWF6QBTV2LE/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40674.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/libexpat/libexpat/pull/629
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-30T19:17:58Z/ Found at https://github.com/libexpat/libexpat/pull/629
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/libexpat/libexpat/pull/640
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-30T19:17:58Z/ Found at https://github.com/libexpat/libexpat/pull/640
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2022/09/msg00029.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-30T19:17:58Z/ Found at https://lists.debian.org/debian-lts-announce/2022/09/msg00029.html
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GSVZN3IJ6OCPSJL7AEX3ZHSHAHFOGESK/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-30T19:17:58Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GSVZN3IJ6OCPSJL7AEX3ZHSHAHFOGESK/
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J2IGJNHFV53PYST7VQV3T4NHVYAMXA36/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-30T19:17:58Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J2IGJNHFV53PYST7VQV3T4NHVYAMXA36/
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQB6FJAM5YQ35SF5B2MN25Y2FX56EOEZ/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-30T19:17:58Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQB6FJAM5YQ35SF5B2MN25Y2FX56EOEZ/
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2ZKEPGFCZ7R6DRVH3K6RBJPT42ZBEG/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-30T19:17:58Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2ZKEPGFCZ7R6DRVH3K6RBJPT42ZBEG/
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGBVQQ47URGJAZWHCISHDWF6QBTV2LE/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-30T19:17:58Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGBVQQ47URGJAZWHCISHDWF6QBTV2LE/
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-40674
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.gentoo.org/glsa/202209-24
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-30T19:17:58Z/ Found at https://security.gentoo.org/glsa/202209-24
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.gentoo.org/glsa/202211-06
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-30T19:17:58Z/ Found at https://security.gentoo.org/glsa/202211-06
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.netapp.com/advisory/ntap-20221028-0008/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-30T19:17:58Z/ Found at https://security.netapp.com/advisory/ntap-20221028-0008/
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.debian.org/security/2022/dsa-5236
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-30T19:17:58Z/ Found at https://www.debian.org/security/2022/dsa-5236
Exploit Prediction Scoring System (EPSS)
Percentile 0.69243
EPSS Score 0.00623
Published At Sept. 16, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:10:03.822950+00:00 Mozilla Importer Import https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2022/mfsa2022-47.yml 37.0.0