Bug 2469216 (CVE-2026-7210) - CVE-2026-7210 python: expat: Python/Expat: Denial of Service via crafted XML document
Summary: CVE-2026-7210 python: expat: Python/Expat: Denial of Service via crafted XML ...
Keywords:
Status: NEW
Alias: CVE-2026-7210
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2484189 2484190 2484192 2484195 2484196 2484200 2484191 2484193 2484194 2484197 2484198 2484199
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-11 18:04 UTC by OSIDB Bzimport
Modified: 2026-07-05 09:28 UTC (History)
20 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-11 18:04:06 UTC
`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.


Note You need to log in before you can comment on or make changes to this bug.