CVE-2026-7210
Analyzed Analyzed - Analysis Complete
Expat Hash Flooding Protection Bypass via XML Document

Publication date: 2026-05-11

Last updated on: 2026-06-15

Assigner: Python Software Foundation

Description
`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-06-15
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-7210
EUVD
EUVD-2026-29178
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
python python to 3.15.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-331 The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of CVE-2026-7210 on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-7210 is a vulnerability in Python's XML parsing modules, specifically xml.parsers.expat and xml.etree.ElementTree, caused by insufficient entropy used for hash-flooding protection.

Hash flooding is an attack where an attacker crafts XML documents that cause excessive hash collisions, potentially degrading performance or causing denial of service.

The vulnerability arises because the pyexpat module uses a hash salt function that provides only 4 to 8 bytes of entropy, which is insufficient to prevent such attacks.

The fix involves updating libexpat to version 2.8.0 or later and modifying pyexpat to use the newer XML_SetHashSalt16Bytes function, which provides 16 bytes of entropy, significantly improving protection against hash flooding.

Impact Analysis

This vulnerability can allow an attacker to craft malicious XML documents that trigger hash flooding attacks against applications using Python's xml.parsers.expat or xml.etree.ElementTree modules.

Such attacks can degrade the performance of XML parsing, potentially leading to denial of service conditions where the application becomes unresponsive or slow.

Because the vulnerability is related to hash collision attacks, it could be exploited remotely without requiring user interaction.

Mitigation Strategies

To mitigate CVE-2026-7210, you should update libexpat to version 2.8.0 or later.

Additionally, apply the patch that updates Python's pyexpat module to use the XML_SetHashSalt16Bytes function from libexpat, which enhances hash salt randomization and protects against hash flooding attacks.

This patch has been merged into the main Python branch and backported to supported Python versions (3.10 through 3.15), though some versions may require manual cherry-picking.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7210. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart