xmlwf, the XML writer used in the libexpat library, contains an integer overflow bug in the endDoctypeDecl routine when processing NOTATION declarations. The overflow can corrupt internal counters and may lead to buffer overrun or other memory corruption, which could compromise the integrity of the application parsing the XML. The bug is not an immediate remote code execution flaw, but it can be leveraged by an attacker who supplies a crafted XML document to cause application instability or create an opportunity for more complex exploitation.

The vulnerability affects the libexpat project’s libexpat library in all releases prior to 2.8.2. Any software that links against that library and parses XML containing NOTATION declarations is potentially impacted, including embedded processors, web servers, and application frameworks that include libexpat.

The CVSS score of 6.9 indicates a moderate severity, and the EPSS score is not available, so the exact likelihood of exploitation is unclear. The vulnerability is not listed in the CISA KEV catalog, suggesting no mass exploitation has been reported. The likely attack vector requires an attacker to supply malicious XML input that is processed by the vulnerable library, which may be possible in remote or local contexts depending on the application's exposure to untrusted data.