Description
libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
Published: 2026-04-16
Score: 2.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The libexpat library, when used in versions before 2.8.0, relies on an inadequate entropy source for its hash function. This weakness permits attackers to craft XML documents that deliberately trigger hash collisions, causing the parser to expend excessive time and resources. The primary consequence is a denial‑of‑service condition as the application becomes unresponsive or exhausts memory. The issue stems from CWE‑331, which marks the failure to incorporate sufficient randomness in hash generation.

Affected Systems

The vulnerability affects all installations of the libexpat project with the libexpat library before version 2.8.0. Any software that links against these older releases is potentially vulnerable if it processes XML input from untrusted sources.

Risk and Exploitability

The CVSS score for this weakness is 2.9, indicating a low overall risk. The EPSS score is less than 1 %, showing that the likelihood of exploitation is very low. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply a crafted XML document to a system using the vulnerable libexpat version; the attack is predominantly a local or remote denial of service, depending on how the library is utilized.

Generated by OpenCVE AI on April 28, 2026 at 21:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade installed libexpat to version 2.8.0 or later to eliminate the hash‑flooding weakness.
  • If an upgrade cannot be performed immediately, configure the application or environment to impose strict timeouts or size limits on XML parsing operations, preventing excessive resource consumption from crafted input.
  • Monitor application logs and system metrics for unusually long or repeated XML parsing attempts, and isolate or quarantine hosts exhibiting such behavior to mitigate potential denial‑of‑service attacks.

Generated by OpenCVE AI on April 28, 2026 at 21:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
Description libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document. libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
References

Sun, 26 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
References

Sat, 18 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title libexpat: expat: libexpat: Denial of Service via hash flooding with crafted XML
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 16 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
First Time appeared Libexpat Project
Libexpat Project libexpat
Weaknesses CWE-331
CPEs cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*
Vendors & Products Libexpat Project
Libexpat Project libexpat
References
Metrics cvssV3_1

{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Libexpat Project Libexpat
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-27T05:59:38.490Z

Reserved: 2026-04-16T16:52:00.655Z

Link: CVE-2026-41080

cve-icon Vulnrichment

Updated: 2026-04-26T18:14:25.064Z

cve-icon NVD

Status : Modified

Published: 2026-04-16T17:16:54.917

Modified: 2026-04-27T07:16:03.937

Link: CVE-2026-41080

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-16T16:52:01Z

Links: CVE-2026-41080 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:45:26Z

Weaknesses