Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Untrusted XML reaches the parser remotely without auth or interaction (AV:N/AC:L/PR:N/UI:N); impact is CPU-exhaustion DoS only, so C:N/I:N/A:H.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
11DescriptionNVD
In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.
AnalysisAI
Denial of service in libexpat before 2.8.1 lets remote attackers exhaust CPU by submitting moderately sized crafted XML whose elements contain many colliding attribute names, triggering quadratic-time behavior in the parser's duplicate-attribute detection. Affects the widely embedded Expat C XML parsing library; publicly available exploit code exists (a proof-of-concept gist), though EPSS is 0.00% and the issue is not in CISA KEV, indicating no observed in-the-wild exploitation. CVSS 7.5 reflects availability-only impact with no confidentiality or integrity exposure.
Technical ContextAI
libexpat (Expat) is a stream-oriented, non-validating XML parser written in C that is embedded across countless applications and language runtimes (e.g. Python's xml.parsers.expat, Perl, PHP, and many native packages). The root cause is CWE-407 (Inefficient Algorithmic Complexity): when parsing a start tag, Expat must ensure no attribute name is duplicated, and the collision-checking routine scales poorly - approximately O(n^2) - with the number of attributes on a single element. An attacker who supplies an element with a large set of colliding/near-colliding attribute names forces disproportionate CPU work relative to the small input size, so even a moderately sized document (not a billion-laughs-style expansion) drives the parser into a long compute loop. The affected CPE is cpe:2.3:a:libexpat_project:libexpat, all versions prior to 2.8.1.
RemediationAI
Upgrade libexpat to version 2.8.1 or later (Vendor-released patch: libexpat 2.8.1), which fixes the attribute-collision complexity; the upstream change is in GitHub PR https://github.com/libexpat/libexpat/pull/1216. On enterprise Linux, apply the corresponding distribution updates rather than rebuilding from source - for Red Hat consume the relevant errata (RHSA-2026:22715, 22721, 23230, 26319, 27201, 29197) and consult the VEX at https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45186.json to confirm which shipped components are impacted, and remember to restart or redeploy any long-running services (and language runtimes such as Python) that have the old library mapped into memory. Where immediate patching is impossible and XML originates from untrusted sources, apply compensating controls: enforce strict input-size and per-element attribute-count limits at the application or gateway layer to reject documents with abnormally many attributes (trade-off: may reject unusual-but-legitimate XML), constrain CPU/time per parse via request timeouts or sandboxing of parser workers (trade-off: adds latency and operational complexity), and restrict or authenticate the network endpoints that accept XML so anonymous remote submission is blocked (trade-off: reduces but does not eliminate exposure for authenticated clients).
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. Rated critical severity (CVSS 9.8),
XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the p
In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEnti
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too
expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetE
Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a m
An issue was discovered in libexpat before 2.6.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp
An issue was discovered in libexpat before 2.6.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp
The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attacke
libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. Rated high severity (CVSS 8.1), this
The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attacker
The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat in Expat 2.2.1 and 2.2.2 on Windows allows local us
Same weakness CWE-407 – Inefficient Algorithmic Complexity
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28985
GHSA-r396-2q2c-pjhr