CVE-2021-45960 Overview
CVE-2021-45960 is an integer overflow vulnerability in Expat (also known as libexpat), a widely-used XML parsing library. The vulnerability exists in versions prior to 2.4.3 and occurs in the storeAtts function within xmlparse.c. A left shift operation by 29 or more places can lead to realloc misbehavior, resulting in improper memory allocation—either allocating too few bytes or only freeing memory without proper reallocation.
This vulnerability can be exploited remotely over the network by an authenticated attacker without user interaction. Given that libexpat is a foundational XML parsing library used across numerous applications and systems, the potential impact is widespread. Successful exploitation could lead to memory corruption, application crashes, or potentially arbitrary code execution.
Critical Impact
Memory corruption via integer overflow in XML parsing library could affect confidentiality, integrity, and availability of affected systems across multiple vendors and platforms.
Affected Products
- libexpat_project libexpat (versions before 2.4.3)
- Tenable Nessus
- Debian debian_linux (10.0 and 11.0)
- Siemens sinema_remote_connect_server
- NetApp active_iq_unified_manager
- NetApp hci_baseboard_management_controller (H610C, H610S, H615C)
- NetApp oncommand_workflow_automation
- NetApp solidfire & hci_management_node
Discovery Timeline
- 2022-01-01 - CVE-2021-45960 published to NVD
- 2025-05-05 - Last updated in NVD database
Technical Details for CVE-2021-45960
Vulnerability Analysis
The vulnerability resides in the storeAtts function within xmlparse.c, the core XML parsing component of libexpat. When processing XML attributes, the function performs a left shift operation that, under certain conditions, can shift by 29 or more bit positions. This arithmetic operation triggers undefined behavior in C, as left-shifting by a value greater than or equal to the width of the operand type leads to unpredictable results.
The integer overflow directly affects memory allocation logic. When realloc is called with an incorrectly calculated size value resulting from the overflow, it may allocate a buffer that is significantly smaller than required or may only free memory without performing proper reallocation. This creates conditions for heap corruption, buffer overflows, or use-after-free scenarios depending on how the application subsequently uses the affected memory regions.
The vulnerability is classified under CWE-682 (Incorrect Calculation), highlighting that the root cause is improper arithmetic handling rather than traditional input validation failures.
Root Cause
The root cause is an incorrect calculation (CWE-682) in the storeAtts function where a left shift operation by 29 or more places occurs during attribute processing. In C, left-shifting a 32-bit integer by 29 or more positions results in undefined behavior when the value being shifted has certain bit patterns set. This undefined behavior manifests as an incorrect size calculation that is subsequently passed to realloc, causing the memory allocator to behave unexpectedly.
The calculation flaw exists because the code did not properly validate or constrain the shift amount before performing the operation, nor did it account for potential integer overflow conditions when computing memory sizes for attribute storage.
Attack Vector
The attack vector is network-based, requiring low privileges but no user interaction. An attacker can exploit this vulnerability by sending specially crafted XML documents to applications using vulnerable versions of libexpat. The malicious XML would contain attributes designed to trigger the problematic left shift operation during parsing.
When the vulnerable storeAtts function processes these crafted attributes, the integer overflow occurs, leading to memory allocation issues. Depending on the application's memory layout and subsequent operations, this could result in denial of service through application crashes, information disclosure through memory corruption, or potentially code execution if the attacker can control memory contents through heap manipulation techniques.
Detection Methods for CVE-2021-45960
Indicators of Compromise
- Unexpected application crashes during XML parsing operations, particularly when processing documents with numerous or specially crafted attributes
- Memory allocation errors or segmentation faults in processes utilizing libexpat
- Abnormal memory consumption patterns in XML processing applications
- Application logs showing realloc failures or memory corruption errors
Detection Strategies
- Implement binary composition analysis to identify applications bundling vulnerable libexpat versions (prior to 2.4.3)
- Deploy application performance monitoring to detect abnormal memory allocation patterns during XML processing
- Use memory sanitizers (AddressSanitizer, Valgrind) in development and testing environments to identify heap corruption issues
- Monitor for crash dumps indicating memory corruption in XML parsing routines
Monitoring Recommendations
- Enable detailed logging for XML parsing operations in production applications
- Monitor system logs for segmentation faults, heap corruption, or unexpected termination of processes known to use libexpat
- Implement alerting for repeated application restarts that may indicate exploitation attempts
- Track software inventory to maintain awareness of libexpat versions deployed across the environment
How to Mitigate CVE-2021-45960
Immediate Actions Required
- Identify all applications and systems using libexpat versions prior to 2.4.3 through software composition analysis
- Upgrade libexpat to version 2.4.3 or later where the integer overflow has been corrected
- Apply vendor-specific patches from Debian, NetApp, Siemens, Tenable, and other affected vendors
- Prioritize patching for internet-facing applications that process untrusted XML content
Patch Information
The vulnerability has been addressed in libexpat version 2.4.3. The fix is available via GitHub Pull Request #534, which corrects the improper calculation in the storeAtts function. Multiple downstream vendors have released security advisories with patches:
- Debian Security Advisory DSA-5073
- Tenable Security Notification TNS-2022-05
- NetApp Security Advisory NTAP-20220121-0004
- Siemens Product Security Advisory SSA-484086
- Gentoo GLSA 2022-09-24
For technical details about the vulnerability, see the GitHub Issue #531 Discussion.
Workarounds
- Implement input validation to restrict XML document size and attribute count before parsing with vulnerable libexpat versions
- Consider using alternative XML parsers where possible until patching is complete
- Isolate XML parsing operations in sandboxed environments to limit the impact of potential exploitation
- Apply network-level controls to filter or inspect XML traffic destined for vulnerable applications
# Update libexpat on Debian-based systems
sudo apt update && sudo apt install --only-upgrade libexpat1
# Verify installed version
dpkg -l | grep libexpat
# Ensure version is 2.4.3 or later
# For systems using source builds, upgrade to patched version
cd /path/to/libexpat
git pull origin master
./configure && make && sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
