Impact
The vulnerability arises because libexpat before version 2.8.2 fails to consider XML_TOK_DATA_CHARS when processing CDATA sections, which bypasses handler call depth tracking. This omission can result in a use‑after‑free condition (CWE‑416) and a failure to correctly track handler depth can also lead to heap corruption (CWE‑825). An attacker capable of supplying crafted XML that triggers a policy violation can trigger the use‑after‑free, potentially corrupting heap memory. The direct impact may include application crashes; arbitrary code execution is inferred based on typical use‑after‑free outcomes but is not explicitly stated in the CVE.
Affected Systems
The libexpat library from the libexpat project, in any installation using a version older than 2.8.2, is affected. The library is frequently embedded in applications and operating systems for XML parsing, implying potential widespread impact – an inference.
Risk and Exploitability
The CVSS score of 4.9 places the vulnerability in the low-to-moderate range, and the EPSS score is not available while it is not listed in KEV, indicating no known active exploitation. The presence of a use‑after‑free condition means that an attacker who can supply malicious XML could exploit the flaw. The exploitation might lead to heap corruption, which could result in crashes or, as inferred, run arbitrary code, although no active attacks have been recorded. The likely attack vector involves providing malicious XML input to a vulnerable application that uses libexpat before 2.8.2.
OpenCVE Enrichment