{"id":"ASB-A-274231102","details":"In several functions of xmlregexp.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-274231102","CVE-2023-40128"],"modified":"2026-05-22T15:55:21.353668239Z","published":"2023-10-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-10-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/external/libxml2/+/1ccf89b87a3969edd56956e2d447f896037c8be7"}],"affected":[{"package":{"name":"platform/external/libxml2","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2023-10-01"}]}],"versions":["11"],"ecosystem_specific":{"spl":"2023-10-01","vanir_signatures":[{"digest":{"length":4192,"function_hash":"286849544817418768335908216744020265449"},"id":"ASB-A-274231102-9a2724a6","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/381160fc2a293d50a627c9e35bb34485bf97b6e7","target":{"function":"xmlFAGenerateTransitions","file":"xmlregexp.c"},"signature_type":"Function","signature_version":"v1"},{"digest":{"line_hashes":["19425799061210353593077284545013811363","5907603357197868905669115033062480205","37650081241679653630269798644214843044","230570562004109944517098004816911128269","251770770304899036841109856180359482455","304698920401754550621011024863766267122","32026019354401868928204667467178777430","169754711938011847781472798512900816415","243219486569140842104847391148576644862","187143736696446723813293942197096075893","164238930355821149871022389360426165860","327717555065096168191060962796201950705","288294457797168187934754749586048936509","151052489551114435308986337394479570459","213006275826760076516076958279528888219","178020714517195066202660648075087089950","243219486569140842104847391148576644862","187143736696446723813293942197096075893","164238930355821149871022389360426165860","327717555065096168191060962796201950705","288294457797168187934754749586048936509","151052489551114435308986337394479570459","213006275826760076516076958279528888219","22748492019790916104206250717897407969","307044815513582077165993042811738588826","262182975630621246209206463987280754057","340003719122539253473702446077555889163","150563184359254906168590771611801629189","306092578858770519986257278171310209807","20181567728655020568300040981209146032","288435753353998236815381509283233810709","16244480229490051662226600603476136641","307044815513582077165993042811738588826","262182975630621246209206463987280754057","340003719122539253473702446077555889163","150563184359254906168590771611801629189","306092578858770519986257278171310209807","20181567728655020568300040981209146032","288435753353998236815381509283233810709","120975947584594195072212574675430384303"],"threshold":0.9},"id":"ASB-A-274231102-9b984df5","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/381160fc2a293d50a627c9e35bb34485bf97b6e7","target":{"file":"xmlregexp.c"},"signature_type":"Line","signature_version":"v1"},{"digest":{"length":1028,"function_hash":"45312315292554977945286378268126194603"},"id":"ASB-A-274231102-9cd53a19","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/381160fc2a293d50a627c9e35bb34485bf97b6e7","target":{"function":"xmlAutomataNewCountTrans","file":"xmlregexp.c"},"signature_type":"Function","signature_version":"v1"},{"digest":{"length":1483,"function_hash":"320995382150417517862002393554507749409"},"id":"ASB-A-274231102-c55f1260","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/381160fc2a293d50a627c9e35bb34485bf97b6e7","target":{"function":"xmlAutomataNewCountTrans2","file":"xmlregexp.c"},"signature_type":"Function","signature_version":"v1"},{"digest":{"length":881,"function_hash":"168991425808716676318447426641166953902"},"id":"ASB-A-274231102-dacbfb06","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/381160fc2a293d50a627c9e35bb34485bf97b6e7","target":{"function":"xmlAutomataNewOnceTrans","file":"xmlregexp.c"},"signature_type":"Function","signature_version":"v1"},{"digest":{"length":1336,"function_hash":"194289442730404476567257505472944491342"},"id":"ASB-A-274231102-eeca2513","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/381160fc2a293d50a627c9e35bb34485bf97b6e7","target":{"function":"xmlAutomataNewOnceTrans2","file":"xmlregexp.c"},"signature_type":"Function","signature_version":"v1"}],"severity":"High","types":["EoP"],"fixes":["https://android.googlesource.com/platform/external/libxml2/+/381160fc2a293d50a627c9e35bb34485bf97b6e7"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-274231102.json"}},{"package":{"name":"platform/external/libxml2","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2023-10-01"}]}],"versions":["12"],"ecosystem_specific":{"spl":"2023-10-01","types":["EoP"],"severity":"High","vanir_signatures":[{"digest":{"line_hashes":["19425799061210353593077284545013811363","5907603357197868905669115033062480205","37650081241679653630269798644214843044","230570562004109944517098004816911128269","251770770304899036841109856180359482455","304698920401754550621011024863766267122","32026019354401868928204667467178777430","169754711938011847781472798512900816415","243219486569140842104847391148576644862","187143736696446723813293942197096075893","164238930355821149871022389360426165860","327717555065096168191060962796201950705","288294457797168187934754749586048936509","151052489551114435308986337394479570459","213006275826760076516076958279528888219","178020714517195066202660648075087089950","243219486569140842104847391148576644862","187143736696446723813293942197096075893","164238930355821149871022389360426165860","327717555065096168191060962796201950705","288294457797168187934754749586048936509","151052489551114435308986337394479570459","213006275826760076516076958279528888219","22748492019790916104206250717897407969","307044815513582077165993042811738588826","262182975630621246209206463987280754057","340003719122539253473702446077555889163","150563184359254906168590771611801629189","306092578858770519986257278171310209807","20181567728655020568300040981209146032","288435753353998236815381509283233810709","16244480229490051662226600603476136641","307044815513582077165993042811738588826","262182975630621246209206463987280754057","340003719122539253473702446077555889163","150563184359254906168590771611801629189","306092578858770519986257278171310209807","20181567728655020568300040981209146032","288435753353998236815381509283233810709","120975947584594195072212574675430384303"],"threshold":0.9},"id":"ASB-A-274231102-20796487","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/761198eaee09f721452adfefa92b9a6c9b875f24","target":{"file":"xmlregexp.c"},"signature_type":"Line","signature_version":"v1"},{"digest":{"length":1028,"function_hash":"45312315292554977945286378268126194603"},"id":"ASB-A-274231102-222e01e4","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/761198eaee09f721452adfefa92b9a6c9b875f24","target":{"function":"xmlAutomataNewCountTrans","file":"xmlregexp.c"},"signature_type":"Function","signature_version":"v1"},{"digest":{"length":1483,"function_hash":"320995382150417517862002393554507749409"},"id":"ASB-A-274231102-5f3bf677","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/761198eaee09f721452adfefa92b9a6c9b875f24","target":{"function":"xmlAutomataNewCountTrans2","file":"xmlregexp.c"},"signature_type":"Function","signature_version":"v1"},{"digest":{"length":860,"function_hash":"73338815645371492332508725579366774982"},"id":"ASB-A-274231102-b1028d23","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/761198eaee09f721452adfefa92b9a6c9b875f24","target":{"function":"xmlAutomataNewOnceTrans","file":"xmlregexp.c"},"signature_type":"Function","signature_version":"v1"},{"digest":{"length":4193,"function_hash":"24896819028198972162326686889226208718"},"id":"ASB-A-274231102-c347fcdd","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/761198eaee09f721452adfefa92b9a6c9b875f24","target":{"function":"xmlFAGenerateTransitions","file":"xmlregexp.c"},"signature_type":"Function","signature_version":"v1"},{"digest":{"length":1315,"function_hash":"25374719156014082904346898533442674231"},"id":"ASB-A-274231102-eed3ed7f","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/761198eaee09f721452adfefa92b9a6c9b875f24","target":{"function":"xmlAutomataNewOnceTrans2","file":"xmlregexp.c"},"signature_type":"Function","signature_version":"v1"}],"fixes":["https://android.googlesource.com/platform/external/libxml2/+/761198eaee09f721452adfefa92b9a6c9b875f24"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-274231102.json"}},{"package":{"name":"platform/external/libxml2","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2023-10-01"}]}],"versions":["12L"],"ecosystem_specific":{"spl":"2023-10-01","types":["EoP"],"severity":"High","vanir_signatures":[{"digest":{"length":1028,"function_hash":"45312315292554977945286378268126194603"},"id":"ASB-A-274231102-0f1eecdf","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/19e6d50dbabcfbbb53f5410c19ea5613e0a8ad7a","target":{"function":"xmlAutomataNewCountTrans","file":"xmlregexp.c"},"signature_type":"Function","signature_version":"v1"},{"digest":{"length":860,"function_hash":"73338815645371492332508725579366774982"},"id":"ASB-A-274231102-3f189db3","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/19e6d50dbabcfbbb53f5410c19ea5613e0a8ad7a","target":{"function":"xmlAutomataNewOnceTrans","file":"xmlregexp.c"},"signature_type":"Function","signature_version":"v1"},{"digest":{"line_hashes":["19425799061210353593077284545013811363","5907603357197868905669115033062480205","37650081241679653630269798644214843044","230570562004109944517098004816911128269","251770770304899036841109856180359482455","304698920401754550621011024863766267122","32026019354401868928204667467178777430","169754711938011847781472798512900816415","243219486569140842104847391148576644862","187143736696446723813293942197096075893","164238930355821149871022389360426165860","327717555065096168191060962796201950705","288294457797168187934754749586048936509","151052489551114435308986337394479570459","213006275826760076516076958279528888219","178020714517195066202660648075087089950","243219486569140842104847391148576644862","187143736696446723813293942197096075893","164238930355821149871022389360426165860","327717555065096168191060962796201950705","288294457797168187934754749586048936509","151052489551114435308986337394479570459","213006275826760076516076958279528888219","22748492019790916104206250717897407969","307044815513582077165993042811738588826","262182975630621246209206463987280754057","340003719122539253473702446077555889163","150563184359254906168590771611801629189","306092578858770519986257278171310209807","20181567728655020568300040981209146032","288435753353998236815381509283233810709","16244480229490051662226600603476136641","307044815513582077165993042811738588826","262182975630621246209206463987280754057","340003719122539253473702446077555889163","150563184359254906168590771611801629189","306092578858770519986257278171310209807","20181567728655020568300040981209146032","288435753353998236815381509283233810709","120975947584594195072212574675430384303"],"threshold":0.9},"id":"ASB-A-274231102-6e8ab020","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/19e6d50dbabcfbbb53f5410c19ea5613e0a8ad7a","target":{"file":"xmlregexp.c"},"signature_type":"Line","signature_version":"v1"},{"digest":{"length":4193,"function_hash":"24896819028198972162326686889226208718"},"id":"ASB-A-274231102-d978d337","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/19e6d50dbabcfbbb53f5410c19ea5613e0a8ad7a","target":{"function":"xmlFAGenerateTransitions","file":"xmlregexp.c"},"signature_type":"Function","signature_version":"v1"},{"digest":{"length":1315,"function_hash":"25374719156014082904346898533442674231"},"id":"ASB-A-274231102-f11c4af1","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/19e6d50dbabcfbbb53f5410c19ea5613e0a8ad7a","target":{"function":"xmlAutomataNewOnceTrans2","file":"xmlregexp.c"},"signature_type":"Function","signature_version":"v1"},{"digest":{"length":1483,"function_hash":"320995382150417517862002393554507749409"},"id":"ASB-A-274231102-fe8fbaee","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/19e6d50dbabcfbbb53f5410c19ea5613e0a8ad7a","target":{"function":"xmlAutomataNewCountTrans2","file":"xmlregexp.c"},"signature_type":"Function","signature_version":"v1"}],"fixes":["https://android.googlesource.com/platform/external/libxml2/+/19e6d50dbabcfbbb53f5410c19ea5613e0a8ad7a"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-274231102.json"}},{"package":{"name":"platform/external/libxml2","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-10-01"}]}],"versions":["13"],"ecosystem_specific":{"spl":"2023-10-01","types":["EoP"],"severity":"High","vanir_signatures":[{"digest":{"line_hashes":["19425799061210353593077284545013811363","5907603357197868905669115033062480205","37650081241679653630269798644214843044","230570562004109944517098004816911128269","251770770304899036841109856180359482455","304698920401754550621011024863766267122","32026019354401868928204667467178777430","169754711938011847781472798512900816415","243219486569140842104847391148576644862","187143736696446723813293942197096075893","164238930355821149871022389360426165860","327717555065096168191060962796201950705","288294457797168187934754749586048936509","151052489551114435308986337394479570459","213006275826760076516076958279528888219","178020714517195066202660648075087089950","243219486569140842104847391148576644862","187143736696446723813293942197096075893","164238930355821149871022389360426165860","327717555065096168191060962796201950705","288294457797168187934754749586048936509","151052489551114435308986337394479570459","213006275826760076516076958279528888219","22748492019790916104206250717897407969","307044815513582077165993042811738588826","262182975630621246209206463987280754057","340003719122539253473702446077555889163","150563184359254906168590771611801629189","306092578858770519986257278171310209807","20181567728655020568300040981209146032","288435753353998236815381509283233810709","16244480229490051662226600603476136641","307044815513582077165993042811738588826","262182975630621246209206463987280754057","340003719122539253473702446077555889163","150563184359254906168590771611801629189","306092578858770519986257278171310209807","20181567728655020568300040981209146032","288435753353998236815381509283233810709","120975947584594195072212574675430384303"],"threshold":0.9},"id":"ASB-A-274231102-14d2204b","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/0e6ed17dfe8e36e5618a592a600720bd61e015cc","target":{"file":"xmlregexp.c"},"signature_type":"Line","signature_version":"v1"},{"digest":{"length":1315,"function_hash":"25374719156014082904346898533442674231"},"id":"ASB-A-274231102-583097df","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/0e6ed17dfe8e36e5618a592a600720bd61e015cc","target":{"function":"xmlAutomataNewOnceTrans2","file":"xmlregexp.c"},"signature_type":"Function","signature_version":"v1"},{"digest":{"length":4193,"function_hash":"24896819028198972162326686889226208718"},"id":"ASB-A-274231102-61311bae","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/0e6ed17dfe8e36e5618a592a600720bd61e015cc","target":{"function":"xmlFAGenerateTransitions","file":"xmlregexp.c"},"signature_type":"Function","signature_version":"v1"},{"digest":{"length":1483,"function_hash":"320995382150417517862002393554507749409"},"id":"ASB-A-274231102-6bde39d1","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/0e6ed17dfe8e36e5618a592a600720bd61e015cc","target":{"function":"xmlAutomataNewCountTrans2","file":"xmlregexp.c"},"signature_type":"Function","signature_version":"v1"},{"digest":{"length":860,"function_hash":"73338815645371492332508725579366774982"},"id":"ASB-A-274231102-8dff873b","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/0e6ed17dfe8e36e5618a592a600720bd61e015cc","target":{"function":"xmlAutomataNewOnceTrans","file":"xmlregexp.c"},"signature_type":"Function","signature_version":"v1"},{"digest":{"length":1028,"function_hash":"45312315292554977945286378268126194603"},"id":"ASB-A-274231102-c4a6ba49","deprecated":false,"source":"https://android.googlesource.com/platform/external/libxml2/+/0e6ed17dfe8e36e5618a592a600720bd61e015cc","target":{"function":"xmlAutomataNewCountTrans","file":"xmlregexp.c"},"signature_type":"Function","signature_version":"v1"}],"fixes":["https://android.googlesource.com/platform/external/libxml2/+/0e6ed17dfe8e36e5618a592a600720bd61e015cc"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-274231102.json"}}],"schema_version":"1.7.5"}