xml.parsers.expat and xml.etree.ElementTree use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.rnrnFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.
Weakness
The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Python | Python | * | 3.15.0 (excluding) |
| Python2.7 | Ubuntu | esm-infra/xenial | * |
| Python3.13 | Ubuntu | upstream | * |
| Python3.14 | Ubuntu | devel | * |
| Python3.14 | Ubuntu | upstream | * |
| Python3.5 | Ubuntu | esm-infra/xenial | * |
Potential Mitigations
Related Attack Patterns
References
- https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4
- https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566
- https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a
- https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f
- https://github.com/python/cpython/issues/149018
- https://github.com/python/cpython/pull/149023
- https://mail.python.org/archives/list/security-announce@python.org/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/
- http://www.openwall.com/lists/oss-security/2026/05/11/13
- http://www.openwall.com/lists/oss-security/2026/05/11/8