The vulnerability exists in the `xml.parsers.expat` and `xml.etree.ElementTree` modules of CPython, where the hash‑flooding protection relies on insufficient randomness. A maliciously crafted XML document can trigger massive hash collisions in the parser’s internal dictionary, exhausting CPU or memory resources and leading to a service interruption. This weakness falls under CWE‑331, representing entropy issues in randomness. The impact is confined to the single process that processes the attacker‑supplied XML, but in a high‑traffic web server or API could be leveraged to cause widespread denial of service across an application or entire system.

All CPython installations that include the default `xml` package and depend on a libexpat version older than 2.8.0 are potentially affected. The vulnerability affects the Expat parser integrated into CPython and the ElementTree XML library. Site administrators should review the CPython version in use, as newer releases incorporate the patched parser and updated libexpat dependency, and consider upgrading to a version that includes both the language update and the library upgrade.

The CVSS score of 6.3 indicates a moderate severity. EPSS is not available, so no current estimate of exploitation probability is published. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been observed in the wild. Nevertheless, the easiest attack vector is through any XML input channel exposed to untrusted users, such as web services, configuration files, or document upload endpoints. An attacker can exploit the weakness by sending a carefully crafted XML payload that induces a hash flood, resulting in resource exhaustion and denial of service. Given the lack of a public exploit and the moderate severity, while the risk is significant for exposed XML endpoints, it is lower than for remote code execution or privilege escalation vulnerabilities.