CVE-2026-45186
Received Received - Intake
Expat XML Parser Denial of Service

Publication date: 2026-05-10

Last updated on: 2026-05-11

Assigner: MITRE

Description
In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-10
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-10
EPSS Evaluated
2026-06-18
NVD
CVE-2026-45186
EUVD
EUVD-2026-28985
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libexpat libexpat to 2.8.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in libexpat versions before 2.8.1 and is related to the way the library checks for attribute name collisions in XML documents.

The issue causes a denial-of-service (DoS) condition because the attribute collision checks have quadratic runtime behavior when processing XML inputs with many attributes. This means that moderately sized, specially crafted XML inputs can cause significant performance degradation, making the system slow or unresponsive.

A proof-of-concept payload was created to demonstrate how this flaw can be exploited, and a fix was implemented to improve the attribute collision detection from an inefficient quadratic time to a more efficient constant time.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a denial of service on systems using vulnerable versions of libexpat.

By sending moderately sized, maliciously crafted XML input, an attacker can trigger excessive computational load due to inefficient attribute collision checks, leading to significant performance degradation or system unavailability.

This can disrupt normal operations, potentially causing downtime or degraded service quality.

Detection Guidance

This vulnerability can be detected by analyzing XML inputs processed by libexpat for signs of unusually high computational load caused by attribute name collision checks. A proof-of-concept payload generator exists that creates crafted XML inputs with a large number of attributes to trigger the denial-of-service condition.

To detect exploitation attempts on your system, you can monitor for processes using libexpat that exhibit high CPU usage when parsing XML documents. Additionally, you can test your libexpat version by running the proof-of-concept XML payload against it to see if it causes performance degradation.

  • Use monitoring tools like top, htop, or ps to identify high CPU usage in processes parsing XML.
  • Run the proof-of-concept XML payload (available from the linked pull request) against your libexpat installation to check if it triggers the vulnerability.
  • Check the libexpat version with a command like `ldd` on the binary or querying the package manager to confirm if it is before version 2.8.1.
Mitigation Strategies

The immediate mitigation step is to upgrade libexpat to version 2.8.1 or later, where the vulnerability has been fixed by improving the attribute collision detection mechanism.

Until the upgrade can be applied, consider limiting or sanitizing XML inputs to avoid processing documents with a large number of attributes that could trigger the denial-of-service condition.

Monitor your systems for unusual CPU usage during XML parsing and restrict access to services that use vulnerable versions of libexpat to trusted users or networks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45186. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart