Opened 25 hours ago
#5934 new enhancement
Fix CVE-2026-7210 in Python
| Reported by: | Douglas R. Reno | Owned by: | lfs-book |
|---|---|---|---|
| Priority: | high | Milestone: | 13.1 |
| Component: | Book | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
While reviewing my email, I was greeted to another CPython security vulnerability, this time also valid for 3.14.5.
-------- Forwarded Message -------- Subject: [Security-announce][CVE-2026-7210] The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection Date: Mon, 11 May 2026 17:58:49 +0100 From: Stan Ulbrych via Security-announce <security-announce@python.org> Reply-To: security-sig@python.org To: security-announce@python.org CC: Stan Ulbrych <stanulbrych@gmail.com> There is a MEDIUM severity vulnerability affecting CPython. `xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding. Fully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-7210 * https://github.com/python/cpython/pull/149023
an insufficient entropy problem that also requires users to update to Expat 2.8.0 or later.
Note:
See TracTickets
for help on using tickets.
