CVE-2022-25315: 
IBM Db2 vulnerability analysis and mitigation

CVE-2022-25315 affects Expat (aka libexpat) versions before 2.4.5, where there is an integer overflow vulnerability in the storeRawNames function. The vulnerability was discovered in February 2022 and affects multiple systems and software that use the Expat XML parsing library (NVD, Openwall).

The vulnerability is an integer overflow condition in the storeRawNames function. The issue occurs when abusing the m_buffer expansion logic to allow allocations very close to INT_MAX. The attack can be triggered by crafting a specially prepared UTF-16 XML file that takes advantage of how Expat converts between different encodings. The vulnerability has received a CVSS v3.1 Base Score of 9.8 CRITICAL with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The successful exploitation of this vulnerability could lead to denial of service or potentially arbitrary code execution when processing malformed XML files. The vulnerability affects both default configurations and systems handling XML processing (Debian Security Advisory, NetApp Advisory).

The vulnerability has been fixed in Expat version 2.4.5. Users and organizations are strongly recommended to upgrade to this version or later. Multiple vendors have released patches for their affected products, including Debian, Fedora, and Oracle. There are no known workarounds other than upgrading to a fixed version (Debian Security Advisory, Oracle Security Alert).