CVE-2026-41080
Received
Received - Intake
Hash Flooding Vulnerability in libexpat XML Parser Before
Publication date: 2026-04-16
Last updated on: 2026-04-27
Assigner: MITRE
Description
Description
libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libexpat_project | libexpat | to 2.7.6 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-331 | The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in libexpat versions before 2.7.6. It is caused by the use of insufficient entropy in the library's processing, which allows an attacker to perform hash flooding by crafting a malicious XML document.
How can this vulnerability impact me? :
The vulnerability can lead to hash flooding attacks, which may cause a denial of service by making the XML processing consume excessive resources. According to the CVSS score, the impact on availability is low, and there is no impact on confidentiality or integrity.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70