In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.
https://github.com/libexpat/libexpat/pull/650
https://github.com/libexpat/libexpat/pull/616
https://github.com/libexpat/libexpat/issues/649
https://lists.debian.org/debian-lts-announce/2022/10/msg00033.html
https://www.debian.org/security/2022/dsa-5266