{"id":"ASB-A-221255869","details":"In XML_GetBuffer of xmlparse.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-221255869","CVE-2022-23852"],"modified":"2026-04-15T15:55:00.724021Z","published":"2022-09-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-09-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/external/expat/+/d6a09f1b7fb24dd03dc58e45062ad951a37ff8e3"}],"affected":[{"package":{"name":"platform/external/expat","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2022-09-01"}]}],"versions":["10"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/external/expat/+/d6a09f1b7fb24dd03dc58e45062ad951a37ff8e3"],"types":["EoP"],"vanir_signatures":[{"id":"ASB-A-221255869-4251a019","signature_type":"Function","source":"https://android.googlesource.com/platform/external/expat/+/d6a09f1b7fb24dd03dc58e45062ad951a37ff8e3","digest":{"length":3362,"function_hash":"138352415732303108501810443154813624150"},"signature_version":"v1","deprecated":false,"target":{"file":"lib/xmlparse.c","function":"XML_GetBuffer"}},{"id":"ASB-A-221255869-74cb59a4","signature_type":"Line","source":"https://android.googlesource.com/platform/external/expat/+/d6a09f1b7fb24dd03dc58e45062ad951a37ff8e3","digest":{"threshold":0.9,"line_hashes":["23769882794062647382828236930866184936","290891614970733481005294944513108526091","91523872996065765435832856955889506431","278119019981747821834661111398495361216"]},"signature_version":"v1","deprecated":false,"target":{"file":"lib/xmlparse.c"}}],"spl":"2022-09-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-221255869.json"}},{"package":{"name":"platform/external/expat","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-09-01"}]}],"versions":["11"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/external/expat/+/9d79464dab550b27e3eb33592ece02ec68ba19b0"],"types":["EoP"],"vanir_signatures":[{"id":"ASB-A-221255869-3e822306","signature_type":"Line","source":"https://android.googlesource.com/platform/external/expat/+/9d79464dab550b27e3eb33592ece02ec68ba19b0","digest":{"threshold":0.9,"line_hashes":["23769882794062647382828236930866184936","290891614970733481005294944513108526091","224374138601710745415227448825105997927","4077327238122989552024957943116553897"]},"signature_version":"v1","deprecated":false,"target":{"file":"lib/xmlparse.c"}},{"id":"ASB-A-221255869-5c6ed63f","signature_type":"Function","source":"https://android.googlesource.com/platform/external/expat/+/9d79464dab550b27e3eb33592ece02ec68ba19b0","digest":{"length":3223,"function_hash":"78338412100891045482255719798124897640"},"signature_version":"v1","deprecated":false,"target":{"file":"lib/xmlparse.c","function":"XML_GetBuffer"}}],"spl":"2022-09-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-221255869.json"}},{"package":{"name":"platform/external/expat","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-09-01"}]}],"versions":["12"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/external/expat/+/a924d536de39ee21d4ab7051a3d13684162259bf"],"types":["EoP"],"vanir_signatures":[{"id":"ASB-A-221255869-9398e5f6","signature_type":"Line","source":"https://android.googlesource.com/platform/external/expat/+/a924d536de39ee21d4ab7051a3d13684162259bf","digest":{"threshold":0.9,"line_hashes":["23769882794062647382828236930866184936","290891614970733481005294944513108526091","224374138601710745415227448825105997927","4077327238122989552024957943116553897"]},"signature_version":"v1","deprecated":false,"target":{"file":"lib/xmlparse.c"}},{"id":"ASB-A-221255869-f69eba6a","signature_type":"Function","source":"https://android.googlesource.com/platform/external/expat/+/a924d536de39ee21d4ab7051a3d13684162259bf","digest":{"length":3223,"function_hash":"78338412100891045482255719798124897640"},"signature_version":"v1","deprecated":false,"target":{"file":"lib/xmlparse.c","function":"XML_GetBuffer"}}],"spl":"2022-09-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-221255869.json"}},{"package":{"name":"platform/external/expat","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-09-01"}]}],"versions":["12L"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/external/expat/+/7a0950222b2ca17204fcb8d0c20ce7cabd934949"],"types":["EoP"],"vanir_signatures":[{"id":"ASB-A-221255869-2ebae99f","signature_type":"Function","source":"https://android.googlesource.com/platform/external/expat/+/7a0950222b2ca17204fcb8d0c20ce7cabd934949","digest":{"length":3223,"function_hash":"78338412100891045482255719798124897640"},"signature_version":"v1","deprecated":false,"target":{"file":"lib/xmlparse.c","function":"XML_GetBuffer"}},{"id":"ASB-A-221255869-78fea371","signature_type":"Line","source":"https://android.googlesource.com/platform/external/expat/+/7a0950222b2ca17204fcb8d0c20ce7cabd934949","digest":{"threshold":0.9,"line_hashes":["23769882794062647382828236930866184936","290891614970733481005294944513108526091","224374138601710745415227448825105997927","4077327238122989552024957943116553897"]},"signature_version":"v1","deprecated":false,"target":{"file":"lib/xmlparse.c"}}],"spl":"2022-09-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-221255869.json"}}],"schema_version":"1.7.5"}