CVE-2026-7210

HIGH

The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection

Title source: cna

Description

`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.

References (9)

Core 9

Core References

Patch patch

https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4

View Patch ZIP pw:eip

Patch patch

https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566

View Patch ZIP pw:eip

Patch patch

https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a

View Patch ZIP pw:eip

Patch patch

https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f

View Patch ZIP pw:eip

Vendor Advisory vendor-advisory

https://mail.python.org/archives/list/[email protected]/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/

Patch patch

https://github.com/python/cpython/pull/149023

Issue Tracking issue-tracking

https://github.com/python/cpython/issues/149018

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/11/8

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/11/13

Scores

CVSS v3 7.5

EPSS 0.0081

EPSS Percentile 51.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-331

Status published

Products (6)

libexpat_project/libexpat < 2.8.0

python/python < 3.15.0

Python Software Foundation/CPython < 3.13.14

Python Software Foundation/CPython < 3.15.0

Python Software Foundation/CPython 3.14.0 - 3.14.6

Python Software Foundation/CPython 3.15.0a1 - 3.15.0b2

Published May 11, 2026

Tracked Since May 11, 2026