CVE-2026-7210
Expat Hash Flooding Protection Bypass via XML Document
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: Python Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libexpat | libexpat | From 2.8.0 (inc) |
| python | pyexpat | From 3.10 (inc) to 3.15 (inc) |
| libexpat | libexpat | 2.8.0 |
| mailman | mailman | 3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-331 | The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-7210 on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-7210 is a vulnerability in Python's XML parsing modules, specifically xml.parsers.expat and xml.etree.ElementTree, caused by insufficient entropy used for hash-flooding protection.
Hash flooding is an attack where an attacker crafts XML documents that cause excessive hash collisions, potentially degrading performance or causing denial of service.
The vulnerability arises because the pyexpat module uses a hash salt function that provides only 4 to 8 bytes of entropy, which is insufficient to prevent such attacks.
The fix involves updating libexpat to version 2.8.0 or later and modifying pyexpat to use the newer XML_SetHashSalt16Bytes function, which provides 16 bytes of entropy, significantly improving protection against hash flooding.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to craft malicious XML documents that trigger hash flooding attacks against applications using Python's xml.parsers.expat or xml.etree.ElementTree modules.
Such attacks can degrade the performance of XML parsing, potentially leading to denial of service conditions where the application becomes unresponsive or slow.
Because the vulnerability is related to hash collision attacks, it could be exploited remotely without requiring user interaction.
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2026-7210, you should update libexpat to version 2.8.0 or later.
Additionally, apply the patch that updates Python's pyexpat module to use the XML_SetHashSalt16Bytes function from libexpat, which enhances hash salt randomization and protects against hash flooding attacks.
This patch has been merged into the main Python branch and backported to supported Python versions (3.10 through 3.15), though some versions may require manual cherry-picking.