Bug 2458967 (CVE-2026-41080) - CVE-2026-41080 libexpat: expat: libexpat: Denial of Service via hash flooding with crafted XML
Summary: CVE-2026-41080 libexpat: expat: libexpat: Denial of Service via hash flooding...
Keywords:
Status: NEW
Alias: CVE-2026-41080
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2459020 2459021
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-16 17:01 UTC by OSIDB Bzimport
Modified: 2026-04-16 19:46 UTC (History)
9 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-16 17:01:29 UTC 
libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
Comment 2 Marco Benatto 2026-04-16 19:46:06 UTC 
Public upstream commit for this issue:
https://github.com/libexpat/libexpat/pull/1183/commits/f5eacefb24a69901a3a608dd4c8697d26cff2c6b
Note You need to log in before you can comment on or make changes to this bug.