In libexpat versions prior to 2.8.1, the routine that checks for attribute name collisions grows in computational complexity with the number of attributes. When a malicious actor supplies a moderately sized XML document containing many attributes with colliding names, parsing can consume excessive CPU and memory resources, causing the application or service to become unresponsive. The vulnerability is a classic denial‑of‑service flaw, classified as CWE‑407: check on correctness. The CVSS score of 2.9 reflects a low‑to‑moderate risk to confidentiality, integrity, and availability for systems that parse XML with libexpat.

The flaw affects the libexpat library from the libexpat project. All installations using libexpat versions earlier than 2.8.1 are susceptible. No additional vendor or product variations are listed in the CNA data.

The attack requires constructing a crafted XML input with a high number of colliding attribute names. The CVSS assessment indicates low severity, and the exploitation probability (EPSS) is not reported, suggesting limited evidence of widespread exploitation. The vulnerability is not included in CISA's known exploited vulnerabilities catalog. Attackers would most likely send the malicious XML over a network interface that the application accepts, making the vector external. An effective exploit would need to bypass any application‑level input filtering and reach the XML parsing routine of libexpat.