VDB

CVE-2009-3720

CVE-2009-3720 PUBLISHED

The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.

EPSS 1.57% · 81.9th percentile

Risk Scores

EPSS Score
1.57%
81.9th percentile

Affected Products

VendorProductVersions
Ubuntu:16.04:LTSinsighttoolkit0, 3.20.1+git20120521-6build1, 3.20.1+git20120521-6
Ubuntu:25.10swish-e2.4.7-6.3build1, 0, 2.4.7-6.3
Ubuntu:18.04:LTScadaver0, 0.23.3-2ubuntu3
Ubuntu:20.04:LTSmatanza0.13+ds2-1, 0.13+ds1-6, 0
Ubuntu:24.04:LTSswish-e2.4.7-6.2, 0, 2.4.7-6.2build1
Ubuntu:25.10coin30, 4.0.3+ds-2
Ubuntu:20.04:LTScoin34.0.0~CMake~6f54f1602475+ds1-3, *, 0
Ubuntu:25.10matanza0.13+ds2-2, 0
Ubuntu:20.04:LTSswish-e2.4.7-6build2, 0, 2.4.7-6build1
Ubuntu:22.04:LTSswish-e2.4.7-6build3, 2.4.7-6.1build1, 2.4.7-6.1
Ubuntu:Pro:16.04:LTScoin33.1.4~abc9f50+dfsg1-1, 0, 3.1.4~abc9f50+dfsg1-1ubuntu0.1~esm1
Ubuntu:16.04:LTScadaver0.23.3-2ubuntu2, 0
Ubuntu:25.10sitecopy1:0.16.6-16, 0, 1:0.16.6-16build1
Ubuntu:25.10cadaver*, 0
Ubuntu:Pro:14.04:LTScoin30, 3.1.4~abc9f50-4ubuntu2, 3.1.4~abc9f50-4
Ubuntu:22.04:LTSmatanza0, 0.13+ds2-1
Ubuntu:22.04:LTScoin34.0.0+ds-1build1, 0, *
Ubuntu:24.04:LTScoin30, 4.0.0+ds-5, 4.0.2+ds-1
Ubuntu:16.04:LTSswish-e2.4.7-4, 0, 2.4.7-4build1
Ubuntu:18.04:LTSmatanza*, 0.13+ds1-6, 0

…and 8 more

Exploit Intelligence

…and 39 more exploits

Timeline

  • CVE Published
  • Feb 14, 2016 PoC Published
  • Feb 4, 2022 EPSS Score
  • May 20, 2022 EPSS Score
  • Sep 4, 2022 EPSS Score
  • Dec 18, 2022 EPSS Score
  • Feb 9, 2023 EPSS Score
  • Apr 3, 2023 EPSS Score
  • Jul 17, 2023 EPSS Score
  • Oct 30, 2023 EPSS Score
  • Feb 13, 2024 EPSS Score
  • Apr 5, 2024 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›