Skip to main content

CPython CVE-2026-7210

| EUVDEUVD-2026-29178 MEDIUM
Insufficient Entropy (CWE-331)
2026-05-11 PSF GHSA-wxv8-w48j-r2f4
6.3
CVSS 4.0 · Vendor: PSF
Share

Severity by source

Vendor (PSF) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.3 MEDIUM
qualitative

Primary rating from Vendor (PSF).

CVSS VectorVendor: PSF

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
May 11, 2026 - 18:47 vuln.today
Analysis Generated
May 11, 2026 - 18:47 vuln.today
CVSS changed
May 11, 2026 - 18:22 NVD
6.3 (MEDIUM)
CVE Published
May 11, 2026 - 17:19 nvd
MEDIUM 6.3

DescriptionCVE.org

xml.parsers.expat and xml.etree.ElementTree use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.

AnalysisAI

XML parsers in CPython's xml.parsers.expat and xml.etree.ElementTree modules use insufficient entropy for Expat hash-flooding protection, allowing crafted XML documents to trigger algorithmic complexity attacks (hash flooding) that degrade parser performance. Remote attackers can exploit this with complex XML payloads to cause denial of service. Mitigation requires both updating libexpat to 2.8.0 or later and applying the CPython patch, as confirmed by Python Software Foundation security advisory.

Technical ContextAI

The vulnerability stems from CWE-331 (Insufficient Entropy) in the hash salt generation for Expat's internal hash table protection mechanism. CPython's xml.parsers.expat and xml.etree.ElementTree modules wrap libexpat's XML parser and previously used only 8 bytes of entropy (or less in some configurations) for the XML_SetHashSalt API, which is insufficient to resist modern hash-flooding attacks. The fix increases entropy to 16 bytes by leveraging libexpat 2.8.0's new XML_SetHashSalt16Bytes API that accepts full 16-byte entropy, while maintaining backward compatibility with older libexpat versions via fallback to the legacy 8-byte SetHashSalt method. The CPython patch modifies pycore_pyhash.h to allocate full 16-byte storage for the XML hash salt and updates the PyExpat_CAPI struct to expose the SetHashSalt16Bytes function pointer, with conditional compilation ensuring graceful degradation on older libexpat versions.

RemediationAI

Primary mitigation requires a two-part fix: (1) Update libexpat to version 2.8.0 or later (verify via pkg-config --modversion expat or equivalent for your platform), and (2) Apply the CPython patch (PR #149023 at https://github.com/python/cpython/pull/149023) and rebuild CPython from source. The patch is intended for the next CPython release; users of older releases should monitor their Python distribution or backport the changes manually. The patch adds XML_SetHashSalt16Bytes calls in Modules/_elementtree.c and Modules/pyexpat.c with fallback to legacy SetHashSalt if older libexpat is detected, ensuring compatibility. Binary distributions (e.g., from conda, apt, brew) will require waiting for distributors to rebuild CPython against libexpat 2.8.0 and include the patch - check your distribution's security advisories. As a temporary compensating control pending patching, restrict untrusted XML parsing to offline/batch processes with resource limits (set process memory and CPU timeouts via ulimit or cgroups), or use schema validation to reject pathologically complex documents before parsing. These controls reduce but do not eliminate DOS risk.

CVE-2026-6100 CRITICAL
9.1 Apr 13

CPython decompression modules (lzma, bz2, gzip) allow memory corruption via use-after-free when decompressor instances a

CVE-2026-11972 HIGH
8.2 Jun 23

Denial of service in CPython's tarfile module allows remote attackers to trigger an infinite loop by supplying a crafted

CVE-2026-9669 HIGH
8.2 Jun 08

Stack-based buffer overflow in CPython's bz2.BZ2Decompressor allows remote attackers to crash Python applications by sen

CVE-2026-11940 HIGH
7.8 Jun 23

Path traversal in CPython's tarfile module allows a crafted tar archive to bypass the 'data' and 'tar' extraction filter

CVE-2026-4786 HIGH
7.0 Apr 13

Command injection in CPython's webbrowser.open() API bypasses previous CVE-2026-4519 mitigation via specially crafted UR

CVE-2026-4519 HIGH
7.0 Mar 20

The webbrowser.open() API in CPython accepts URLs with leading dashes, which certain web browsers interpret as command-l

CVE-2026-7774 MEDIUM
6.9 Jun 04

Path traversal in CPython's tarfile module allows malicious tar archives to bypass the data_filter safety mechanism and

CVE-2026-3276 MEDIUM
6.3 Jun 03

Denial-of-service via quadratic algorithmic complexity in CPython's unicodedata.normalize() affects all CPython versions

CVE-2026-8328 MEDIUM
5.9 May 13

Server-Side Request Forgery in CPython's ftplib module allows a malicious FTP source server to redirect a target FTP ser

CVE-2026-12003 MEDIUM
5.3 Jun 16

Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a mor

CVE-2026-0864 MEDIUM
4.1 Jun 23

Config file injection in CPython's configparser module allows an attacker who controls multi-line values written via con

CVE-2026-6019 LOW
2.1 Apr 22

CPython's http.cookies.Morsel.js_output() method generates inline script snippets that fail to neutralize the HTML parse

Vendor StatusVendor

SUSE

Severity: High
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

CVE-2026-7210 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy