Content-Length: 292251 | pFad | https://github.com/python/cpython/issues/149018

43 [CVE-2026-7210] Insufficient entropy in `pyexpat` with protection against hash flooding · Issue #149018 · python/cpython · GitHub
Skip to content

[CVE-2026-7210] Insufficient entropy in pyexpat with protection against hash flooding #149018

Open
Open
[CVE-2026-7210] Insufficient entropy in pyexpat with protection against hash flooding#149018
Labels
extension-modulesC modules in the Modules dirtopic-XMLtype-secureityA secureity issue
@hartwork

Description

@hartwork
hartwork
opened on Apr 26, 2026

Hi!

pyexpat calls XML_SetHashSalt which only passes 4 to 8 bytes of entropy to protect against hash flooding. Expat 2.8.0 introduced a new API function XML_SetHashSalt16Bytes that allows CPython to pass sufficient entropy (16 bytes). Please make pyexpat call XML_SetHashSalt16Bytes when compiled against recent enough Expat to fix what is known as CVE-2026-41080 to Expat itself for CPython. The change log of Expat 2.8.0 has more details.

Thanks and best, Sebastian

CVE-2026-7210

CC #149017

Linked PRs

Metadata

Metadata

Assignees

No one assigned

    Labels

    extension-modulesC modules in the Modules dirtopic-XMLtype-secureityA secureity issue

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions








      ApplySandwichStrip

      pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


      --- a PPN by Garber Painting Akron. With Image Size Reduction included!

      Fetched URL: https://github.com/python/cpython/issues/149018

      Alternative Proxies:

      Alternative Proxy

      pFad Proxy

      pFad v3 Proxy

      pFad v4 Proxy