vulnerability
Amazon Linux 2023: CVE-2021-45960: Critical priority package update for expat
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:S/C:C/I:C/A:C) | Jan 17, 2022 | Feb 17, 2025 | Jul 4, 2025 |
Severity
9
CVSS
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
Published
Jan 17, 2022
Added
Feb 17, 2025
Modified
Jul 4, 2025
Description
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
expat (libexpat) is susceptible to a software flaw that causes process interruption. When processing a large number of prefixed XML attributes on a single tag can libexpat can terminate unexpectedly due to buffer overrun. The highest threat from this vulnerability is to availability.
expat (libexpat) is susceptible to a software flaw that causes process interruption. When processing a large number of prefixed XML attributes on a single tag can libexpat can terminate unexpectedly due to buffer overrun. The highest threat from this vulnerability is to availability.
Solutions
amazon-linux-2023-upgrade-expatamazon-linux-2023-upgrade-expat-debuginfoamazon-linux-2023-upgrade-expat-debugsourceamazon-linux-2023-upgrade-expat-develamazon-linux-2023-upgrade-expat-static
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.