Volerion logoVolerion
Volerion logoVolerion

Expat Large Dynamic Memory Allocation Vulnerability

Vulnerability

A vulnerability in the Expat XML parser library, specifically in versions prior to 2.7.2, allows attackers to cause significant dynamic memory allocations. This is achieved by sending a small XML document for parsing, which can lead to excessive memory use and potential denial-of-service conditions.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by exhausting available memory, leading to application crashes or unresponsiveness.

Reproduction

The vulnerability can be reproduced by using the Expat XML parser to process a small document encoded in UTF-16BE. This can be done with the 'xml_parse_fuzzer_UTF-16BE' function, which is part of the OSS-Fuzz project's fuzzing tests for Expat.

Remediation

Users can update to Expat version 2.7.2 or later, where this vulnerability has been fixed. Instructions for downloading the latest version can be found on the Expat GitHub repository.

Added: Sep 15, 2025, 3:17 AM
Updated: Sep 15, 2025, 3:17 AM

Vulnerability Rating

Custom Algorithm
spread
8.4
impact
2.5
exploitability
5.7
remediation
7.7
relevance
0.5
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.