Skip to main content

libexpat CVE-2026-45186

| EUVDEUVD-2026-28985 HIGH
Inefficient Algorithmic Complexity (CWE-407)
2026-05-10 mitre GHSA-r396-2q2c-pjhr
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Untrusted XML reaches the parser remotely without auth or interaction (AV:N/AC:L/PR:N/UI:N); impact is CPU-exhaustion DoS only, so C:N/I:N/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

11
Analysis Updated
Jun 30, 2026 - 04:23 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:22 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:22 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:19 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:24 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 03:24 NVD
LOW HIGH
CVSS changed
Jun 30, 2026 - 03:24 NVD
2.9 (LOW) 7.5 (HIGH)
Patch available
May 10, 2026 - 08:01 EUVD
Source Code Evidence Fetched
May 10, 2026 - 07:15 vuln.today
Analysis Generated
May 10, 2026 - 07:15 vuln.today
CVE Published
May 10, 2026 - 06:36 nvd
LOW 2.9

DescriptionNVD

In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.

AnalysisAI

Denial of service in libexpat before 2.8.1 lets remote attackers exhaust CPU by submitting moderately sized crafted XML whose elements contain many colliding attribute names, triggering quadratic-time behavior in the parser's duplicate-attribute detection. Affects the widely embedded Expat C XML parsing library; publicly available exploit code exists (a proof-of-concept gist), though EPSS is 0.00% and the issue is not in CISA KEV, indicating no observed in-the-wild exploitation. CVSS 7.5 reflects availability-only impact with no confidentiality or integrity exposure.

Technical ContextAI

libexpat (Expat) is a stream-oriented, non-validating XML parser written in C that is embedded across countless applications and language runtimes (e.g. Python's xml.parsers.expat, Perl, PHP, and many native packages). The root cause is CWE-407 (Inefficient Algorithmic Complexity): when parsing a start tag, Expat must ensure no attribute name is duplicated, and the collision-checking routine scales poorly - approximately O(n^2) - with the number of attributes on a single element. An attacker who supplies an element with a large set of colliding/near-colliding attribute names forces disproportionate CPU work relative to the small input size, so even a moderately sized document (not a billion-laughs-style expansion) drives the parser into a long compute loop. The affected CPE is cpe:2.3:a:libexpat_project:libexpat, all versions prior to 2.8.1.

RemediationAI

Upgrade libexpat to version 2.8.1 or later (Vendor-released patch: libexpat 2.8.1), which fixes the attribute-collision complexity; the upstream change is in GitHub PR https://github.com/libexpat/libexpat/pull/1216. On enterprise Linux, apply the corresponding distribution updates rather than rebuilding from source - for Red Hat consume the relevant errata (RHSA-2026:22715, 22721, 23230, 26319, 27201, 29197) and consult the VEX at https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45186.json to confirm which shipped components are impacted, and remember to restart or redeploy any long-running services (and language runtimes such as Python) that have the old library mapped into memory. Where immediate patching is impossible and XML originates from untrusted sources, apply compensating controls: enforce strict input-size and per-element attribute-count limits at the application or gateway layer to reject documents with abnormally many attributes (trade-off: may reject unusual-but-legitimate XML), constrain CPU/time per parse via request timeouts or sandboxing of parser workers (trade-off: adds latency and operational complexity), and restrict or authenticate the network endpoints that accept XML so anonymous remote submission is blocked (trade-off: reduces but does not eliminate exposure for authenticated clients).

CVE-2022-25315 CRITICAL POC
9.8 Feb 18

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. Rated critical severity (CVSS 9.8),

CVE-2017-9233 HIGH POC
7.5 Jul 25

XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the p

CVE-2022-43680 HIGH POC
7.5 Oct 24

In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEnti

CVE-2019-15903 HIGH POC
7.5 Sep 04

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too

CVE-2013-0340 MEDIUM POC
6.8 Jan 21

expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetE

CVE-2016-0718 CRITICAL
9.8 May 26

Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a m

CVE-2024-45492 CRITICAL
9.8 Aug 30

An issue was discovered in libexpat before 2.6.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp

CVE-2024-45491 CRITICAL
9.8 Aug 30

An issue was discovered in libexpat before 2.6.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp

CVE-2016-4472 HIGH
8.1 Jun 30

The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attacke

CVE-2022-40674 HIGH
8.1 Sep 14

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. Rated high severity (CVSS 8.1), this

CVE-2016-5300 HIGH
7.5 Jun 16

The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attacker

CVE-2017-11742 HIGH
7.8 Jul 30

The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat in Expat 2.2.1 and 2.2.2 on Windows allows local us

Share

CVE-2026-45186 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy