Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.3
XML Parsing in Python Can Be Overwhelmed by Malicious Data
UBUNTU-CVE-2026-7210
Summary
A maliciously crafted XML document can overwhelm the XML parsing system in Python, potentially leading to performance issues or system crashes. This issue affects Python's xml.etree.ElementTree and xml.parsers.expat modules. To fix this issue, you'll need to update the libexpat library to a version of 2.8.0 or later and apply a patch to your system.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Ubuntu:Pro:14.04:LTS | canonical | python2.7 | All versions |
| Ubuntu:Pro:14.04:LTS | canonical | python3.4 | All versions |
| Ubuntu:Pro:14.04:LTS | canonical | python3.5 | All versions |
| Ubuntu:Pro:16.04:LTS | canonical | python2.7 | All versions |
| Ubuntu:Pro:16.04:LTS | canonical | python3.5 | All versions |
| Ubuntu:Pro:18.04:LTS | canonical | python2.7 | All versions |
| Ubuntu:Pro:18.04:LTS | canonical | python3.6 | All versions |
| Ubuntu:Pro:18.04:LTS | canonical | python3.7 | All versions |
| Ubuntu:Pro:18.04:LTS | canonical | python3.8 | All versions |
| Ubuntu:Pro:20.04:LTS | canonical | python3.8 | All versions |
| Ubuntu:Pro:20.04:LTS | canonical | python2.7 | All versions |
| Ubuntu:Pro:20.04:LTS | canonical | python3.9 | All versions |
| Ubuntu:22.04:LTS | canonical | python3.10 | All versions |
| Ubuntu:Pro:22.04:LTS | canonical | python2.7 | All versions |
| Ubuntu:Pro:22.04:LTS | canonical | python3.11 | All versions |
| Ubuntu:24.04:LTS | canonical | python3.12 | All versions |
| Ubuntu:25.10 | canonical | python3.13 | All versions |
| Ubuntu:25.10 | canonical | python3.14 | All versions |
| Ubuntu:26.04:LTS | canonical | python3.14 | All versions |
Original title
`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating th...
Original description
`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.
osv CVSS4.0
7.3
osv CVSS3.1
9.8
- https://ubuntu.com/security/CVE-2026-7210 Third Party Advisory
- https://www.cve.org/CVERecord?id=CVE-2026-7210 Third Party Advisory
Published: 11 May 2026 · Updated: 26 May 2026 · First seen: 26 May 2026