{"id":"ASB-A-219942275","details":"In storeAtts of xmlparse.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-219942275","CVE-2022-22822"],"modified":"2026-05-26T15:46:26.044149249Z","published":"2022-09-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-09-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/external/expat/+/f898dc229b8b520a0f28898b7955e55943330584/"}],"affected":[{"package":{"name":"platform/external/expat","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2022-09-01"}]}],"versions":["10"],"ecosystem_specific":{"spl":"2022-09-01","severity":"High","fixes":["https://android.googlesource.com/platform/external/expat/+/15a1f35dddde9c1a0a626972349a59642abd345a"],"types":["EoP"],"vanir_signatures":[{"signature_type":"Function","deprecated":false,"id":"ASB-A-219942275-172765b4","digest":{"function_hash":"179976131993151750528125585085579301895","length":428},"target":{"file":"lib/xmlparse.c","function":"build_model"},"source":"https://android.googlesource.com/platform/external/expat/+/15a1f35dddde9c1a0a626972349a59642abd345a","signature_version":"v1"},{"signature_type":"Function","deprecated":false,"id":"ASB-A-219942275-1bbe7e88","digest":{"function_hash":"144607037851536191895429127197354004944","length":3470},"target":{"file":"lib/xmlparse.c","function":"addBinding"},"source":"https://android.googlesource.com/platform/external/expat/+/15a1f35dddde9c1a0a626972349a59642abd345a","signature_version":"v1"},{"signature_type":"Function","deprecated":false,"digest":{"function_hash":"80236641310749493488983546933386479997","length":8685},"target":{"file":"lib/xmlparse.c","function":"storeAtts"},"signature_version":"v1","source":"https://android.googlesource.com/platform/external/expat/+/15a1f35dddde9c1a0a626972349a59642abd345a","id":"ASB-A-219942275-62251be2"},{"signature_type":"Function","deprecated":false,"digest":{"function_hash":"53507312955846466464698618564733633091","length":1147},"target":{"file":"lib/xmlparse.c","function":"defineAttribute"},"signature_version":"v1","source":"https://android.googlesource.com/platform/external/expat/+/15a1f35dddde9c1a0a626972349a59642abd345a","id":"ASB-A-219942275-7e875cd6"},{"signature_type":"Function","deprecated":false,"target":{"file":"lib/xmlparse.c","function":"nextScaffoldPart"},"id":"ASB-A-219942275-84579230","signature_version":"v1","source":"https://android.googlesource.com/platform/external/expat/+/15a1f35dddde9c1a0a626972349a59642abd345a","digest":{"function_hash":"71810207303697646971319438653387330853","length":1180}},{"signature_type":"Function","deprecated":false,"signature_version":"v1","id":"ASB-A-219942275-84a7d46f","digest":{"function_hash":"108642901590263511653063885036874946323","length":2156},"source":"https://android.googlesource.com/platform/external/expat/+/15a1f35dddde9c1a0a626972349a59642abd345a","target":{"file":"lib/xmlparse.c","function":"lookup"}},{"signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["223799819926058656319836144584163452693","285694765022870440959907623190863236245","124624278936175411774192493587400394934","5527740047189149474868937779060907523","207528506396819772716099548982043436018","64494957442579479067173847313406264471","185998065906355787466352314472966260772","93154500618235451685566345696181460043","211087526667399075377723518378173384441","227722335802688820752452539033408788869","287215835525873618889978931929925617892","135311281610499616668566237522620803453","229351667191596123456867218399513158242","181780448495663949899460749671558042549","340168848810194959957844508079343424789","114642229293748130665258357716488591956","42175792180550828494674126970015634366","88539272394041331906642501778333521955","134092145356801649550239270381674054072","130973380815226841209046850804112449038","10848183519571471490996467262754922632","195323324894612476920484531025145122349","289365183606170097292399720670681264771","59438059781642515853939429939701878115","78323446624387944043628811789596345174","142538869860603314192662672694267973585","175326988041607017106717838172671630114","127482269535855363128682556280168162736","206057180390636159222088931299221038447","257157183529682335826791755456358150451","261570518136910986990966008116145241440","21877875250761763351776709881304332805","121173072938223458767611727486965265061","189390920671744530938051528044356182004","244599306446007034311952899952619479101","141086976630520953252050422832015308904","157429159418352724047969455500551301154","52912980116624268126842191977178447493","288093603507052066714288040024101552083","49125355809116516078567349023687486440","140254909788755058986255047935358022022","59945357194085835472548739679934699074","327654197725855225967403094038594547918","50414283785912038896358700672411907049","88533279415329437471671070878966509120","225808841637412556486800610078055148838","195628374370582671298812719389189974861","133762674333171622001383136931585174015","130096525224016876536526178520947425275","186012461785052513837297811230796192709"]},"signature_version":"v1","id":"ASB-A-219942275-a8f39b40","source":"https://android.googlesource.com/platform/external/expat/+/15a1f35dddde9c1a0a626972349a59642abd345a","target":{"file":"lib/xmlparse.c"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-219942275.json"}},{"package":{"name":"platform/external/expat","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-09-01"}]}],"versions":["11"],"ecosystem_specific":{"spl":"2022-09-01","severity":"High","fixes":["https://android.googlesource.com/platform/external/expat/+/d69c95de710f6a362ca4a7e7e7dca411955771dd"],"types":["EoP"],"vanir_signatures":[{"signature_type":"Function","deprecated":false,"target":{"file":"lib/xmlparse.c","function":"storeAtts"},"id":"ASB-A-219942275-15be89e3","signature_version":"v1","source":"https://android.googlesource.com/platform/external/expat/+/d69c95de710f6a362ca4a7e7e7dca411955771dd","digest":{"function_hash":"80236641310749493488983546933386479997","length":8685}},{"signature_type":"Function","deprecated":false,"target":{"file":"lib/xmlparse.c","function":"lookup"},"id":"ASB-A-219942275-2f08dcc1","signature_version":"v1","source":"https://android.googlesource.com/platform/external/expat/+/d69c95de710f6a362ca4a7e7e7dca411955771dd","digest":{"function_hash":"108642901590263511653063885036874946323","length":2156}},{"signature_type":"Function","deprecated":false,"digest":{"function_hash":"144607037851536191895429127197354004944","length":3470},"signature_version":"v1","id":"ASB-A-219942275-6f155105","source":"https://android.googlesource.com/platform/external/expat/+/d69c95de710f6a362ca4a7e7e7dca411955771dd","target":{"file":"lib/xmlparse.c","function":"addBinding"}},{"signature_type":"Function","deprecated":false,"id":"ASB-A-219942275-76c3dcc3","digest":{"function_hash":"179976131993151750528125585085579301895","length":428},"target":{"file":"lib/xmlparse.c","function":"build_model"},"source":"https://android.googlesource.com/platform/external/expat/+/d69c95de710f6a362ca4a7e7e7dca411955771dd","signature_version":"v1"},{"signature_type":"Function","deprecated":false,"digest":{"function_hash":"53507312955846466464698618564733633091","length":1147},"target":{"file":"lib/xmlparse.c","function":"defineAttribute"},"signature_version":"v1","source":"https://android.googlesource.com/platform/external/expat/+/d69c95de710f6a362ca4a7e7e7dca411955771dd","id":"ASB-A-219942275-7f15e7eb"},{"signature_type":"Function","deprecated":false,"signature_version":"v1","id":"ASB-A-219942275-ab60e499","digest":{"function_hash":"71810207303697646971319438653387330853","length":1180},"source":"https://android.googlesource.com/platform/external/expat/+/d69c95de710f6a362ca4a7e7e7dca411955771dd","target":{"file":"lib/xmlparse.c","function":"nextScaffoldPart"}},{"signature_type":"Line","deprecated":false,"target":{"file":"lib/xmlparse.c"},"id":"ASB-A-219942275-d1f3a08b","signature_version":"v1","source":"https://android.googlesource.com/platform/external/expat/+/d69c95de710f6a362ca4a7e7e7dca411955771dd","digest":{"threshold":0.9,"line_hashes":["223799819926058656319836144584163452693","285694765022870440959907623190863236245","124624278936175411774192493587400394934","5527740047189149474868937779060907523","207528506396819772716099548982043436018","64494957442579479067173847313406264471","185998065906355787466352314472966260772","93154500618235451685566345696181460043","23395259181702376629101269846025809178","203874545052483936785971797497744476556","327050376575102936830000429655841785546","135311281610499616668566237522620803453","308414355371498134587000568041602526949","333073980410237437756842058150512999863","99404388748626481065000561953632897220","114642229293748130665258357716488591956","42175792180550828494674126970015634366","88539272394041331906642501778333521955","134092145356801649550239270381674054072","130973380815226841209046850804112449038","10848183519571471490996467262754922632","195323324894612476920484531025145122349","289365183606170097292399720670681264771","48395394706863834050321886629054441195","78323446624387944043628811789596345174","142538869860603314192662672694267973585","205507834500794947628470265847326052081","84524653045140711188240093439392617108","215015690880889517476756286454261892829","105466941644625063994769240130645816043","313802660918175977502601550073561827351","66662981884611705583149282912468184287","41520815539834275642782226874305203845","189390920671744530938051528044356182004","244599306446007034311952899952619479101","141086976630520953252050422832015308904","157429159418352724047969455500551301154","52912980116624268126842191977178447493","288093603507052066714288040024101552083","49125355809116516078567349023687486440","140254909788755058986255047935358022022","59945357194085835472548739679934699074","18043944618647772873859678615861009522","50414283785912038896358700672411907049","88533279415329437471671070878966509120","225808841637412556486800610078055148838","195628374370582671298812719389189974861","133762674333171622001383136931585174015","130096525224016876536526178520947425275","186012461785052513837297811230796192709"]}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-219942275.json"}},{"package":{"name":"platform/external/expat","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-09-01"}]}],"versions":["12"],"ecosystem_specific":{"spl":"2022-09-01","severity":"High","fixes":["https://android.googlesource.com/platform/external/expat/+/67d6d8dfef9af2be3b915614e224778eda943ea5"],"types":["EoP"],"vanir_signatures":[{"signature_type":"Function","deprecated":false,"target":{"file":"lib/xmlparse.c","function":"addBinding"},"id":"ASB-A-219942275-0e6b5a82","signature_version":"v1","source":"https://android.googlesource.com/platform/external/expat/+/67d6d8dfef9af2be3b915614e224778eda943ea5","digest":{"function_hash":"144607037851536191895429127197354004944","length":3470}},{"signature_type":"Function","deprecated":false,"signature_version":"v1","id":"ASB-A-219942275-16ab8126","digest":{"function_hash":"80236641310749493488983546933386479997","length":8685},"source":"https://android.googlesource.com/platform/external/expat/+/67d6d8dfef9af2be3b915614e224778eda943ea5","target":{"file":"lib/xmlparse.c","function":"storeAtts"}},{"signature_type":"Function","deprecated":false,"target":{"file":"lib/xmlparse.c","function":"build_model"},"id":"ASB-A-219942275-6598aa44","signature_version":"v1","source":"https://android.googlesource.com/platform/external/expat/+/67d6d8dfef9af2be3b915614e224778eda943ea5","digest":{"function_hash":"179976131993151750528125585085579301895","length":428}},{"signature_type":"Function","deprecated":false,"digest":{"function_hash":"53507312955846466464698618564733633091","length":1147},"target":{"file":"lib/xmlparse.c","function":"defineAttribute"},"signature_version":"v1","source":"https://android.googlesource.com/platform/external/expat/+/67d6d8dfef9af2be3b915614e224778eda943ea5","id":"ASB-A-219942275-6e107c90"},{"signature_type":"Function","deprecated":false,"target":{"file":"lib/xmlparse.c","function":"lookup"},"id":"ASB-A-219942275-992a7222","signature_version":"v1","source":"https://android.googlesource.com/platform/external/expat/+/67d6d8dfef9af2be3b915614e224778eda943ea5","digest":{"function_hash":"108642901590263511653063885036874946323","length":2156}},{"signature_type":"Function","deprecated":false,"digest":{"function_hash":"71810207303697646971319438653387330853","length":1180},"target":{"file":"lib/xmlparse.c","function":"nextScaffoldPart"},"signature_version":"v1","source":"https://android.googlesource.com/platform/external/expat/+/67d6d8dfef9af2be3b915614e224778eda943ea5","id":"ASB-A-219942275-d9a5e525"},{"signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["223799819926058656319836144584163452693","285694765022870440959907623190863236245","124624278936175411774192493587400394934","5527740047189149474868937779060907523","207528506396819772716099548982043436018","64494957442579479067173847313406264471","185998065906355787466352314472966260772","93154500618235451685566345696181460043","23395259181702376629101269846025809178","203874545052483936785971797497744476556","327050376575102936830000429655841785546","135311281610499616668566237522620803453","308414355371498134587000568041602526949","333073980410237437756842058150512999863","99404388748626481065000561953632897220","114642229293748130665258357716488591956","42175792180550828494674126970015634366","88539272394041331906642501778333521955","134092145356801649550239270381674054072","130973380815226841209046850804112449038","10848183519571471490996467262754922632","195323324894612476920484531025145122349","289365183606170097292399720670681264771","48395394706863834050321886629054441195","78323446624387944043628811789596345174","142538869860603314192662672694267973585","205507834500794947628470265847326052081","84524653045140711188240093439392617108","215015690880889517476756286454261892829","105466941644625063994769240130645816043","313802660918175977502601550073561827351","66662981884611705583149282912468184287","41520815539834275642782226874305203845","189390920671744530938051528044356182004","244599306446007034311952899952619479101","141086976630520953252050422832015308904","157429159418352724047969455500551301154","52912980116624268126842191977178447493","288093603507052066714288040024101552083","49125355809116516078567349023687486440","140254909788755058986255047935358022022","59945357194085835472548739679934699074","18043944618647772873859678615861009522","50414283785912038896358700672411907049","88533279415329437471671070878966509120","225808841637412556486800610078055148838","195628374370582671298812719389189974861","133762674333171622001383136931585174015","130096525224016876536526178520947425275","186012461785052513837297811230796192709"]},"target":{"file":"lib/xmlparse.c"},"signature_version":"v1","source":"https://android.googlesource.com/platform/external/expat/+/67d6d8dfef9af2be3b915614e224778eda943ea5","id":"ASB-A-219942275-fb44444c"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-219942275.json"}},{"package":{"name":"platform/external/expat","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-09-01"}]}],"versions":["12L"],"ecosystem_specific":{"spl":"2022-09-01","severity":"High","fixes":["https://android.googlesource.com/platform/external/expat/+/d40d805e85e9b64725fbdc863ea099f30d0dc949"],"types":["EoP"],"vanir_signatures":[{"signature_type":"Function","deprecated":false,"id":"ASB-A-219942275-29947244","digest":{"function_hash":"71810207303697646971319438653387330853","length":1180},"target":{"file":"lib/xmlparse.c","function":"nextScaffoldPart"},"source":"https://android.googlesource.com/platform/external/expat/+/d40d805e85e9b64725fbdc863ea099f30d0dc949","signature_version":"v1"},{"signature_type":"Function","deprecated":false,"id":"ASB-A-219942275-443251c8","digest":{"function_hash":"144607037851536191895429127197354004944","length":3470},"target":{"file":"lib/xmlparse.c","function":"addBinding"},"source":"https://android.googlesource.com/platform/external/expat/+/d40d805e85e9b64725fbdc863ea099f30d0dc949","signature_version":"v1"},{"signature_type":"Function","deprecated":false,"target":{"file":"lib/xmlparse.c","function":"defineAttribute"},"id":"ASB-A-219942275-53eb6e65","signature_version":"v1","source":"https://android.googlesource.com/platform/external/expat/+/d40d805e85e9b64725fbdc863ea099f30d0dc949","digest":{"function_hash":"53507312955846466464698618564733633091","length":1147}},{"signature_type":"Line","deprecated":false,"id":"ASB-A-219942275-6794d9b2","digest":{"threshold":0.9,"line_hashes":["223799819926058656319836144584163452693","285694765022870440959907623190863236245","124624278936175411774192493587400394934","5527740047189149474868937779060907523","207528506396819772716099548982043436018","64494957442579479067173847313406264471","185998065906355787466352314472966260772","93154500618235451685566345696181460043","23395259181702376629101269846025809178","203874545052483936785971797497744476556","327050376575102936830000429655841785546","135311281610499616668566237522620803453","308414355371498134587000568041602526949","333073980410237437756842058150512999863","99404388748626481065000561953632897220","114642229293748130665258357716488591956","42175792180550828494674126970015634366","88539272394041331906642501778333521955","134092145356801649550239270381674054072","130973380815226841209046850804112449038","10848183519571471490996467262754922632","195323324894612476920484531025145122349","289365183606170097292399720670681264771","48395394706863834050321886629054441195","78323446624387944043628811789596345174","142538869860603314192662672694267973585","205507834500794947628470265847326052081","84524653045140711188240093439392617108","215015690880889517476756286454261892829","105466941644625063994769240130645816043","313802660918175977502601550073561827351","66662981884611705583149282912468184287","41520815539834275642782226874305203845","189390920671744530938051528044356182004","244599306446007034311952899952619479101","141086976630520953252050422832015308904","157429159418352724047969455500551301154","52912980116624268126842191977178447493","288093603507052066714288040024101552083","49125355809116516078567349023687486440","140254909788755058986255047935358022022","59945357194085835472548739679934699074","18043944618647772873859678615861009522","50414283785912038896358700672411907049","88533279415329437471671070878966509120","225808841637412556486800610078055148838","195628374370582671298812719389189974861","133762674333171622001383136931585174015","130096525224016876536526178520947425275","186012461785052513837297811230796192709"]},"target":{"file":"lib/xmlparse.c"},"source":"https://android.googlesource.com/platform/external/expat/+/d40d805e85e9b64725fbdc863ea099f30d0dc949","signature_version":"v1"},{"signature_type":"Function","deprecated":false,"signature_version":"v1","id":"ASB-A-219942275-8d7a331f","digest":{"function_hash":"108642901590263511653063885036874946323","length":2156},"source":"https://android.googlesource.com/platform/external/expat/+/d40d805e85e9b64725fbdc863ea099f30d0dc949","target":{"file":"lib/xmlparse.c","function":"lookup"}},{"signature_type":"Function","deprecated":false,"id":"ASB-A-219942275-e706cd6c","digest":{"function_hash":"179976131993151750528125585085579301895","length":428},"target":{"file":"lib/xmlparse.c","function":"build_model"},"source":"https://android.googlesource.com/platform/external/expat/+/d40d805e85e9b64725fbdc863ea099f30d0dc949","signature_version":"v1"},{"signature_type":"Function","deprecated":false,"digest":{"function_hash":"80236641310749493488983546933386479997","length":8685},"target":{"file":"lib/xmlparse.c","function":"storeAtts"},"signature_version":"v1","source":"https://android.googlesource.com/platform/external/expat/+/d40d805e85e9b64725fbdc863ea099f30d0dc949","id":"ASB-A-219942275-e82d78e0"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-219942275.json"}}],"schema_version":"1.7.5"}