CVE-2021-45960: 
Tenable Nessus vulnerability analysis and mitigation

In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory). The vulnerability was discovered in late 2021 and assigned CVE-2021-45960 (CVE, NVD).

The vulnerability exists in the storeAtts function in xmlparse.c where a left shift operation by 29 or more bits can cause memory allocation issues. The issue occurs when processing XML documents with a large number of prefixed attributes on a single tag. To trigger the vulnerability, approximately 2^27+1 prefixed attributes are needed on a single XML tag when using XML_ParserCreateNS to create the parser (Expat Issue).

The vulnerability can lead to denial of service (DoS) or potentially more severe consequences. On 32-bit systems, it can cause realloc to allocate too few bytes or act as a free operation, while on 64-bit systems it may lead to undefined behavior when the shift exceeds 31 bits (Expat Issue).

The vulnerability was fixed in Expat version 2.4.3. The fix includes detecting and preventing left shifts by sizeof(int) 8 - 1 or more bits, and preventing integer overflow on nsAttsSize sizeof(NS_ATT) calculations. Users should upgrade to Expat version 2.4.3 or later (Expat PR).

Multiple vendors and distributions have released security advisories and patches for this vulnerability, including Debian, NetApp, and Tenable. Debian released security updates for both oldstable (buster) and stable (bullseye) distributions (Debian, NetApp, Tenable).