CVE-2021-45960

HIGH8.8EPSS 0.32%

expat - security update

Published: 1/1/2022Modified: 4/28/2026

Description

In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).

Affected packages (5)

Alpine/expatfrom 0, < 2.2.10-r0
Debian/expatfrom 0, < 2.2.10-2+deb11u1
Debian/expatfrom 0, < 2.2.0-2+deb9u4
Debian/expatfrom 0, < 2.2.6-2+deb10u2
Debian/libxmltokfrom 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (2)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2021-45960
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-45960