{"id":"ASB-A-221256678","details":"In closeString of xmlparse.c, there is a possible memory corruption due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-221256678","CVE-2022-23990"],"modified":"2026-05-27T15:53:17.428190120Z","published":"2022-09-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-09-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/external/expat/+/257f1d3777240016d3ccd74a61cd7d0e0efcaae3"}],"affected":[{"package":{"name":"platform/external/expat","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2022-09-01"}]}],"versions":["10"],"ecosystem_specific":{"vanir_signatures":[{"source":"https://android.googlesource.com/platform/external/expat/+/257f1d3777240016d3ccd74a61cd7d0e0efcaae3","target":{"function":"doProlog","file":"lib/xmlparse.c"},"digest":{"length":27763,"function_hash":"194916051013109020439257286648267021551"},"deprecated":false,"signature_version":"v1","id":"ASB-A-221256678-34904c4e","signature_type":"Function"},{"deprecated":false,"target":{"file":"lib/xmlparse.c"},"digest":{"threshold":0.9,"line_hashes":["339326044285764152046173097361304582891","80189087112477729323498696954329671836","332728795067340892905178233217556801001","222029021349265669637245538079790074657","221317009947586808221619481242038985796","99349835761178515549295296412854684740","187269274721543235825387369240793720506","61317863099045868358128820708933024829","122050159338687557815072393947045263208","161136089803808513250300821260233738451","87078006104052797860574317967163509607","232327690192941995352027900811732422356","297867436599823948476812071841674933398","191058153855019843145782312493874618054","213207860056129544246399960674346981714","153277542590348788033796345559096625066","189143837280181008597514096578596137128","103054339028902983481167122157516390565","309889577854558010845876679495858090275","218126424916799469382031295780882932650"]},"source":"https://android.googlesource.com/platform/external/expat/+/257f1d3777240016d3ccd74a61cd7d0e0efcaae3","signature_version":"v1","id":"ASB-A-221256678-8a81a85d","signature_type":"Line"}],"types":["EoP"],"spl":"2022-09-01","severity":"High","fixes":["https://android.googlesource.com/platform/external/expat/+/257f1d3777240016d3ccd74a61cd7d0e0efcaae3"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-221256678.json"}},{"package":{"name":"platform/external/expat","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-09-01"}]}],"versions":["11"],"ecosystem_specific":{"vanir_signatures":[{"deprecated":false,"target":{"file":"lib/xmlparse.c"},"digest":{"threshold":0.9,"line_hashes":["339326044285764152046173097361304582891","37517056343669458741212050199709508032","35613909015179879119886763859434258788","184538079924971805284425482750745354605","37167670863099582326420273828710157536","128141464681805290033676726535339920132","146412106355233493138691733981388781214","218126424916799469382031295780882932650"]},"source":"https://android.googlesource.com/platform/external/expat/+/8524cb8b7b377ff6acb1ca51afc7255d02c4170b","signature_version":"v1","id":"ASB-A-221256678-dde4366a","signature_type":"Line"},{"source":"https://android.googlesource.com/platform/external/expat/+/8524cb8b7b377ff6acb1ca51afc7255d02c4170b","target":{"function":"doProlog","file":"lib/xmlparse.c"},"digest":{"length":27964,"function_hash":"250342439851380564132105541905090514381"},"deprecated":false,"signature_version":"v1","id":"ASB-A-221256678-e086e3c0","signature_type":"Function"}],"types":["EoP"],"spl":"2022-09-01","severity":"High","fixes":["https://android.googlesource.com/platform/external/expat/+/8524cb8b7b377ff6acb1ca51afc7255d02c4170b"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-221256678.json"}},{"package":{"name":"platform/external/expat","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-09-01"}]}],"versions":["12"],"ecosystem_specific":{"vanir_signatures":[{"deprecated":false,"target":{"file":"lib/xmlparse.c"},"digest":{"threshold":0.9,"line_hashes":["339326044285764152046173097361304582891","37517056343669458741212050199709508032","35613909015179879119886763859434258788","184538079924971805284425482750745354605","37167670863099582326420273828710157536","128141464681805290033676726535339920132","146412106355233493138691733981388781214","218126424916799469382031295780882932650"]},"source":"https://android.googlesource.com/platform/external/expat/+/247dff003581d92e089626d8304eb27a53c8f160","signature_version":"v1","id":"ASB-A-221256678-406c5875","signature_type":"Line"},{"source":"https://android.googlesource.com/platform/external/expat/+/247dff003581d92e089626d8304eb27a53c8f160","target":{"function":"doProlog","file":"lib/xmlparse.c"},"digest":{"length":27964,"function_hash":"250342439851380564132105541905090514381"},"deprecated":false,"signature_version":"v1","id":"ASB-A-221256678-9c24eb51","signature_type":"Function"}],"types":["EoP"],"spl":"2022-09-01","severity":"High","fixes":["https://android.googlesource.com/platform/external/expat/+/247dff003581d92e089626d8304eb27a53c8f160"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-221256678.json"}},{"package":{"name":"platform/external/expat","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-09-01"}]}],"versions":["12L"],"ecosystem_specific":{"vanir_signatures":[{"deprecated":false,"target":{"file":"lib/xmlparse.c"},"digest":{"threshold":0.9,"line_hashes":["339326044285764152046173097361304582891","37517056343669458741212050199709508032","35613909015179879119886763859434258788","184538079924971805284425482750745354605","37167670863099582326420273828710157536","128141464681805290033676726535339920132","146412106355233493138691733981388781214","218126424916799469382031295780882932650"]},"source":"https://android.googlesource.com/platform/external/expat/+/b7179f2c886badb2158fa5dfcc57c54d201bc677","signature_version":"v1","id":"ASB-A-221256678-799ae9e9","signature_type":"Line"},{"deprecated":false,"target":{"function":"doProlog","file":"lib/xmlparse.c"},"digest":{"length":27964,"function_hash":"250342439851380564132105541905090514381"},"source":"https://android.googlesource.com/platform/external/expat/+/b7179f2c886badb2158fa5dfcc57c54d201bc677","signature_version":"v1","id":"ASB-A-221256678-9cace653","signature_type":"Function"}],"types":["EoP"],"spl":"2022-09-01","severity":"High","fixes":["https://android.googlesource.com/platform/external/expat/+/b7179f2c886badb2158fa5dfcc57c54d201bc677"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-221256678.json"}}],"schema_version":"1.7.5"}