CVE-2026-45186
Expat XML Parser Denial of Service
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libexpat | libexpat | to 2.8.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-407 | An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in libexpat versions before 2.8.1 and is related to the way the library checks for attribute name collisions in XML documents.
The issue causes a denial-of-service (DoS) condition because the attribute collision checks have quadratic runtime behavior when processing XML inputs with many attributes. This means that moderately sized, specially crafted XML inputs can cause significant performance degradation, making the system slow or unresponsive.
A proof-of-concept payload was created to demonstrate how this flaw can be exploited, and a fix was implemented to improve the attribute collision detection from an inefficient quadratic time to a more efficient constant time.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to cause a denial of service on systems using vulnerable versions of libexpat.
By sending moderately sized, maliciously crafted XML input, an attacker can trigger excessive computational load due to inefficient attribute collision checks, leading to significant performance degradation or system unavailability.
This can disrupt normal operations, potentially causing downtime or degraded service quality.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing XML inputs processed by libexpat for signs of unusually high computational load caused by attribute name collision checks. A proof-of-concept payload generator exists that creates crafted XML inputs with a large number of attributes to trigger the denial-of-service condition.
To detect exploitation attempts on your system, you can monitor for processes using libexpat that exhibit high CPU usage when parsing XML documents. Additionally, you can test your libexpat version by running the proof-of-concept XML payload against it to see if it causes performance degradation.
- Use monitoring tools like top, htop, or ps to identify high CPU usage in processes parsing XML.
- Run the proof-of-concept XML payload (available from the linked pull request) against your libexpat installation to check if it triggers the vulnerability.
- Check the libexpat version with a command like `ldd` on the binary or querying the package manager to confirm if it is before version 2.8.1.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade libexpat to version 2.8.1 or later, where the vulnerability has been fixed by improving the attribute collision detection mechanism.
Until the upgrade can be applied, consider limiting or sanitizing XML inputs to avoid processing documents with a large number of attributes that could trigger the denial-of-service condition.
Monitor your systems for unusual CPU usage during XML parsing and restrict access to services that use vulnerable versions of libexpat to trusted users or networks.