In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. (CVE-2019-15903)
Impact
A remote attacker could send specially crafted XML which, when parsed by an application using the Expat library, would result in a buffer over-read and cause the application to stop responding.