Vulnerability Report

CVE-2022-22822

Title: Integer overflow in Expat addBinding

Vulnerability

Proof Of Concept

PoC Available for CVE-2022-22822

CWE Category CWE-190
Published Date Jan 10, 2022
Modified Date May 05, 2025
Exploit Status Available
Score 9.8 CVSS v3.1
Exploit Probability (EPSS)
1.33%

Vulnerability Summary

CVE-2022-22822: addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Impacted Vendors

N
nessus 1
L
libexpat_project 1
T
tenable 1
S
siemens 1

Reference Links

http://www.openwall.com/lists/oss-security/2022/01/17/3 https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf https://github.com/libexpat/libexpat/pull/539 https://security.gentoo.org/glsa/202209-24 https://www.debian.org/security/2022/dsa-5073 https://www.tenable.com/security/tns-2022-05 http://www.openwall.com/lists/oss-security/2022/01/17/3 https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf https://github.com/libexpat/libexpat/pull/539 https://security.gentoo.org/glsa/202209-24 https://www.debian.org/security/2022/dsa-5073 https://www.tenable.com/security/tns-2022-05
CVSS v3.1
Source Entity [email protected]
Severity CRITICAL
9.8
Attack Vector
NETWORK
Complexity
LOW
Privileges
N/A
Interaction
NONE
Confidentiality
N/A
Integrity
N/A
Availability
N/A
Scope
UNCHANGED
RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v3.1
Source Entity 134c704f-9b21-4f2e-91b3-4a467353bcc0
Severity CRITICAL
9.8
Attack Vector
NETWORK
Complexity
LOW
Privileges
N/A
Interaction
NONE
Confidentiality
N/A
Integrity
N/A
Availability
N/A
Scope
UNCHANGED
RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2.0
Source Entity [email protected]
Severity HIGH
7.5
Access Vector
N/A
Authentication
N/A
RAW VECTOR AV:N/AC:L/Au:N/C:P/I:P/A:P

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2022-22822 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/nanopathi/external_expat_AOSP10_r33_CVE-2022-22822toCVE-2022-22827
View Code
MODIFIED

Vulnerability data or affected products updated.

PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector NETWORK
Complexity LOW
Privileges N/A
Interaction NONE
CVSS Vector String CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Stack

No specific products linked.