Vulnerabilities
Misconfiguration
Compliance
CVE Vulnerabilities

CVE-2022-40674

Use After Free

Published: Sep 14, 2022 | Modified: May 30, 2025
CVSS 3.x
8.1
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
8.1 IMPORTANT
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM
Vulnerability-free packages from our partners
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2022-40674
CWEhttps://cwe.mitre.org/data/definitions/416.html

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.

Weakness

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Affected Software

Name Vendor Start Version End Version
Libexpat Libexpat_project * 2.4.9 (excluding)
Red Hat Enterprise Linux 6 Extended Lifecycle Support RedHat expat-0:2.0.1-15.el6_10 *
Red Hat Enterprise Linux 6 Extended Lifecycle Support RedHat compat-expat1-0:1.95.8-9.el6_10 *
Red Hat Enterprise Linux 7 RedHat expat-0:2.1.0-15.el7_9 *
Red Hat Enterprise Linux 7 RedHat firefox-0:102.3.0-7.el7_9 *
Red Hat Enterprise Linux 7 RedHat thunderbird-0:102.3.0-4.el7_9 *
Red Hat Enterprise Linux 8 RedHat thunderbird-0:102.3.0-4.el8_6 *
Red Hat Enterprise Linux 8 RedHat firefox-0:102.3.0-7.el8_6 *
Red Hat Enterprise Linux 8 RedHat mingw-expat-0:2.4.8-2.el8 *
Red Hat Enterprise Linux 8 RedHat expat-0:2.2.5-8.el8_6.3 *
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions RedHat firefox-0:102.3.0-7.el8_1 *
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions RedHat thunderbird-0:102.3.0-4.el8_1 *
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions RedHat expat-0:2.2.5-3.el8_1.2 *
Red Hat Enterprise Linux 8.2 Extended Update Support RedHat thunderbird-0:102.3.0-4.el8_2 *
Red Hat Enterprise Linux 8.2 Extended Update Support RedHat firefox-0:102.3.0-7.el8_2 *
Red Hat Enterprise Linux 8.2 Extended Update Support RedHat expat-0:2.2.5-3.el8_2.3 *
Red Hat Enterprise Linux 8.4 Extended Update Support RedHat thunderbird-0:102.3.0-4.el8_4 *
Red Hat Enterprise Linux 8.4 Extended Update Support RedHat firefox-0:102.3.0-7.el8_4 *
Red Hat Enterprise Linux 8.4 Extended Update Support RedHat expat-0:2.2.5-4.el8_4.4 *
Red Hat Enterprise Linux 9 RedHat expat-0:2.2.10-12.el9_0.3 *
Red Hat Enterprise Linux 9 RedHat firefox-0:102.3.0-7.el9_0 *
Red Hat Enterprise Linux 9 RedHat thunderbird-0:102.3.0-4.el9_0 *
Red Hat Enterprise Linux 9 RedHat expat-0:2.2.10-12.el9_0.3 *
Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 RedHat redhat-virtualization-host-0:4.5.3-202211170828_8.6 *
Text-Only JBCS RedHat expat *
Apache2 Ubuntu trusty *
Apache2 Ubuntu xenial *
Apr-util Ubuntu trusty *
Apr-util Ubuntu xenial *
Ayttm Ubuntu trusty *
Ayttm Ubuntu xenial *
Cableswig Ubuntu trusty *
Cableswig Ubuntu xenial *
Cadaver Ubuntu bionic *
Cadaver Ubuntu focal *
Cadaver Ubuntu kinetic *
Cadaver Ubuntu lunar *
Cadaver Ubuntu mantic *
Cadaver Ubuntu oracular *
Cadaver Ubuntu trusty *
Cadaver Ubuntu xenial *
Cmake Ubuntu trusty *
Cmake Ubuntu xenial *
Coin3 Ubuntu bionic *
Coin3 Ubuntu focal *
Coin3 Ubuntu kinetic *
Coin3 Ubuntu lunar *
Coin3 Ubuntu mantic *
Coin3 Ubuntu oracular *
Coin3 Ubuntu trusty *
Coin3 Ubuntu trusty/esm *
Coin3 Ubuntu xenial *
Expat Ubuntu bionic *
Expat Ubuntu devel *
Expat Ubuntu esm-infra-legacy/trusty *
Expat Ubuntu esm-infra/bionic *
Expat Ubuntu esm-infra/focal *
Expat Ubuntu esm-infra/xenial *
Expat Ubuntu focal *
Expat Ubuntu jammy *
Expat Ubuntu kinetic *
Expat Ubuntu lunar *
Expat Ubuntu mantic *
Expat Ubuntu noble *
Expat Ubuntu oracular *
Expat Ubuntu plucky *
Expat Ubuntu trusty *
Expat Ubuntu trusty/esm *
Expat Ubuntu xenial *
Firefox Ubuntu bionic *
Firefox Ubuntu focal *
Firefox Ubuntu trusty *
Firefox Ubuntu xenial *
Gdcm Ubuntu bionic *
Gdcm Ubuntu focal *
Gdcm Ubuntu kinetic *
Gdcm Ubuntu lunar *
Gdcm Ubuntu mantic *
Gdcm Ubuntu oracular *
Gdcm Ubuntu trusty *
Gdcm Ubuntu trusty/esm *
Gdcm Ubuntu xenial *
Ghostscript Ubuntu trusty *
Ghostscript Ubuntu xenial *
Insighttoolkit Ubuntu trusty *
Insighttoolkit Ubuntu xenial *
Insighttoolkit4 Ubuntu trusty *
Insighttoolkit4 Ubuntu xenial *
Libxmltok Ubuntu bionic *
Libxmltok Ubuntu kinetic *
Libxmltok Ubuntu lunar *
Libxmltok Ubuntu mantic *
Libxmltok Ubuntu trusty *
Libxmltok Ubuntu upstream *
Matanza Ubuntu bionic *
Matanza Ubuntu devel *
Matanza Ubuntu esm-apps/bionic *
Matanza Ubuntu esm-apps/focal *
Matanza Ubuntu esm-apps/jammy *
Matanza Ubuntu esm-apps/noble *
Matanza Ubuntu esm-apps/xenial *
Matanza Ubuntu focal *
Matanza Ubuntu jammy *
Matanza Ubuntu kinetic *
Matanza Ubuntu lunar *
Matanza Ubuntu mantic *
Matanza Ubuntu noble *
Matanza Ubuntu oracular *
Matanza Ubuntu plucky *
Matanza Ubuntu trusty *
Matanza Ubuntu xenial *
Smart Ubuntu bionic *
Smart Ubuntu trusty *
Smart Ubuntu xenial *
Swish-e Ubuntu bionic *
Swish-e Ubuntu focal *
Swish-e Ubuntu kinetic *
Swish-e Ubuntu lunar *
Swish-e Ubuntu mantic *
Swish-e Ubuntu oracular *
Swish-e Ubuntu trusty *
Swish-e Ubuntu xenial *
Tdom Ubuntu bionic *
Tdom Ubuntu focal *
Tdom Ubuntu kinetic *
Tdom Ubuntu lunar *
Tdom Ubuntu mantic *
Tdom Ubuntu oracular *
Tdom Ubuntu trusty *
Tdom Ubuntu xenial *
Texlive-bin Ubuntu trusty *
Texlive-bin Ubuntu xenial *
Thunderbird Ubuntu bionic *
Thunderbird Ubuntu devel *
Thunderbird Ubuntu focal *
Thunderbird Ubuntu jammy *
Thunderbird Ubuntu kinetic *
Thunderbird Ubuntu lunar *
Thunderbird Ubuntu mantic *
Thunderbird Ubuntu noble *
Thunderbird Ubuntu oracular *
Thunderbird Ubuntu plucky *
Thunderbird Ubuntu trusty *
Thunderbird Ubuntu xenial *
Vnc4 Ubuntu bionic *
Vnc4 Ubuntu trusty *
Vnc4 Ubuntu trusty/esm *
Vnc4 Ubuntu xenial *
Vtk Ubuntu trusty *
Vtk Ubuntu trusty/esm *
Vtk Ubuntu xenial *
Wbxml2 Ubuntu bionic *
Wbxml2 Ubuntu focal *
Wbxml2 Ubuntu kinetic *
Wbxml2 Ubuntu lunar *
Wbxml2 Ubuntu mantic *
Wbxml2 Ubuntu oracular *
Wbxml2 Ubuntu trusty *
Wbxml2 Ubuntu xenial *
Xmlrpc-c Ubuntu bionic *
Xmlrpc-c Ubuntu focal *
Xmlrpc-c Ubuntu kinetic *
Xmlrpc-c Ubuntu lunar *
Xmlrpc-c Ubuntu mantic *
Xmlrpc-c Ubuntu oracular *
Xmlrpc-c Ubuntu trusty *
Xmlrpc-c Ubuntu trusty/esm *
Xmlrpc-c Ubuntu xenial *

Extended Description

The use of previously-freed memory can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw. The simplest way data corruption may occur involves the system’s reuse of the freed memory. Use-after-free errors have two common and sometimes overlapping causes:

In this scenario, the memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation. As the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process. If the newly allocated data happens to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved.

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use