You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
pyexpat calls XML_SetHashSalt which only passes 4 to 8 bytes of entropy to protect against hash flooding. Expat 2.8.0 introduced a new API function XML_SetHashSalt16Bytes that allows CPython to pass sufficient entropy (16 bytes). Please make pyexpat call XML_SetHashSalt16Bytes when compiled against recent enough Expat to fix what is known as CVE-2026-41080 to Expat itself for CPython. The change log of Expat 2.8.0 has more details.
Hi!
pyexpat calls
XML_SetHashSaltwhich only passes 4 to 8 bytes of entropy to protect against hash flooding. Expat 2.8.0 introduced a new API functionXML_SetHashSalt16Bytesthat allows CPython to pass sufficient entropy (16 bytes). Please make pyexpat callXML_SetHashSalt16Byteswhen compiled against recent enough Expat to fix what is known as CVE-2026-41080 to Expat itself for CPython. The change log of Expat 2.8.0 has more details.Thanks and best, Sebastian
CVE-2026-7210
CC #149017
Linked PRs
XML_SetHashSalt16Bytesinpyexpat/_elementtreewhen possible #149023XML_SetHashSalt16Bytesinpyexpat/_elementtreewhen possible (GH-149023) #149645XML_SetHashSalt16Bytesinpyexpat/_elementtreewhen possible (GH-149023) #149646XML_SetHashSalt16Bytesinpyexpat/_elementtreewhen possible (GH-149023) #151160