{"id":"PSF-2026-23","details":"`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.","aliases":["BIT-libpython-2026-7210","BIT-python-2026-7210","BIT-python-min-2026-7210","CVE-2026-7210"],"modified":"2026-06-11T02:04:24.252545Z","published":"2026-05-11T17:19:09.784Z","database_specific":{"cwe_ids":[]},"references":[{"type":"ADVISORY","url":"https://mail.python.org/archives/list/security-announce@python.org/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/"},{"type":"WEB","url":"https://github.com/python/cpython/pull/149023"},{"type":"REPORT","url":"https://github.com/python/cpython/issues/149018"},{"type":"FIX","url":"https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4"},{"type":"FIX","url":"https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566"},{"type":"FIX","url":"https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a"},{"type":"FIX","url":"https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/python/cpython","events":[{"introduced":"0"},{"fixed":"24b8f12544468e4cedf5bfbe25442fcd495391e4"},{"fixed":"3573b3b1ecbd99030a0b18658e1bfece771b2566"},{"fixed":"eeea765cb9d8f1fc3d8918b272ac3c477983f27a"},{"fixed":"fc9b11ff49cbc82e6f917d07a61517a2b5f3145f"}]}],"versions":["v3.14.5","v3.15.0b1","v3.14.5rc1","v3.13.13","v3.14.4","v3.15.0a8","v3.15.0a7","v3.15.0a6","v3.13.12","v3.14.3","v3.15.0a5","v3.15.0a4","v3.15.0a3","v3.14.2","v3.13.11","v3.13.10","v3.14.1","v3.15.0a2","v3.15.0a1","v3.13.8","v3.14.0","v3.14.0rc3","v3.13.7","v3.14.0rc2","v3.13.6","v3.14.0rc1","v3.14.0b4","v3.14.0b3","v3.13.5","v3.13.4","v3.14.0b2","v3.14.0b1","v3.13.3","v3.14.0a7","v3.14.0a6","v3.14.0a5","v3.13.2","v3.14.0a4","v3.14.0a3","v3.13.1","v3.14.0a2","v3.14.0a1","v3.13.0","v3.13.0rc3","v3.13.0rc2","v3.13.0rc1","v3.13.0b4","v3.13.0b3","v3.13.0b2","v3.13.0b1","v3.13.0a6","v3.13.0a5","v3.13.0a4","v3.13.0a3","v3.13.0a2","v3.13.0a1","v3.12.0b1","v3.12.0a7","v3.12.0a6","v3.12.0a5","v3.12.0a4","v3.12.0a3","v3.12.0a2","v3.12.0a1","v3.11.0b1","v3.11.0a7","v3.11.0a6","v3.11.0a5","v3.11.0a4","v3.11.0a3","v3.10.0a7","v3.10.0a1","v3.9.0a2","v3.7.0a2","v3.6.0b1","v3.6.0a3","v3.5.0b1","v3.5.0a4","v3.5.0a3","v3.5.0a2","v3.5.0a1","v3.4.0b3","v3.4.0b2","v3.4.0b1","v3.4.0a4","v3.4.0a3","v3.4.0a2","v3.4.0a1","v3.3.0rc3","v3.3.0rc2","v3.3.0rc1","v3.3.0b2","v3.3.0b1","v3.3.0a4","v3.3.0a3","v3.3.0a2","v3.2rc3","v3.2rc2","v3.2rc1","v3.2b2","v3.2b1","v3.2a4","v3.2a3","v3.2a2","v3.2a1","v3.1","v3.1rc2","v3.1rc1","v3.1b1","v3.1a2","v3.1a1","v3.0rc3","v3.0rc2","v3.0rc1","v3.0b3","v3.0b2","v3.0b1","v3.0a5","v3.0a4","v3.0a3","v3.0a2","v3.0a1","v2.4","v2.4c1","v2.4b2","v2.4b1","v2.4a3","v2.4a2","v2.4a1","v2.3c2","v2.3c1","v2.2a3","v2.1","v2.1c2","v2.1c1","v2.1b2","v2.1b1","v2.1a2","v2.1a1","v2.0","v2.0c1","v2.0b2","v2.0b1","v1.6a2","v1.6a1","v1.5.2","v1.5.2c1","v1.5.2b2","v1.5.2b1","v1.5.2a2","v1.5.2a1","v1.5.1","v1.5","v1.5b2","v1.5b1","v1.5a4","v1.5a3","v1.5a2","v1.5a1","v1.4","v1.4b3","v1.4b2","v1.4b1","v1.3","v1.3b1","v1.2","v1.2b4","v1.2b3","v1.2b2","v1.2b1","v1.1.1","v1.1","v1.0.2","v1.0.1","v0.9.9","v0.9.8"],"database_specific":{"vanir_signatures_modified":"2026-06-11T02:04:24Z","source":"https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2026-23.json","vanir_signatures":[{"digest":{"line_hashes":["282054346468100250562588928679692945206","241745087690371911974619499003941746146"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a","signature_type":"Line","target":{"file":"Include/pyexpat.h"},"id":"PSF-2026-23-13eab482","deprecated":false},{"digest":{"function_hash":"100837677078581469210422368217459004578","length":2990},"signature_version":"v1","source":"https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a","signature_type":"Function","target":{"file":"Modules/_elementtree.c","function":"_elementtree_XMLParser___init___impl"},"id":"PSF-2026-23-17d28da6","deprecated":false},{"digest":{"line_hashes":["200809790425200767353365779645814661145","338571468881071273146244236238519698763","158710132041207750309477001233984228072","52491913065894657274224157621680217981","231686096489310269328649624848028668734","9764412166215748283159686165100133222","143444819121599425158698232384205236527"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566","signature_type":"Line","target":{"file":"Include/internal/pycore_pyhash.h"},"id":"PSF-2026-23-2da9aa18","deprecated":false},{"digest":{"function_hash":"100837677078581469210422368217459004578","length":2990},"signature_version":"v1","source":"https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4","signature_type":"Function","target":{"file":"Modules/_elementtree.c","function":"_elementtree_XMLParser___init___impl"},"id":"PSF-2026-23-40d083c4","deprecated":false},{"digest":{"line_hashes":["235540386729885170438800261319618750470","172128923270737101073236902300203403709","307193223577402528095909077030823192072","52491913065894657274224157621680217981","231686096489310269328649624848028668734","9764412166215748283159686165100133222","143444819121599425158698232384205236527"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f","signature_type":"Line","target":{"file":"Include/internal/pycore_pyhash.h"},"id":"PSF-2026-23-426b5dbb","deprecated":false},{"digest":{"line_hashes":["331466583639241250362361799100269972853","268201616245445465644069845275318051766","162056430873582821825539244461100327069","205189259492710410910413780725664212883"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566","signature_type":"Line","target":{"file":"Modules/_elementtree.c"},"id":"PSF-2026-23-45eda978","deprecated":false},{"digest":{"line_hashes":["282054346468100250562588928679692945206","241745087690371911974619499003941746146"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566","signature_type":"Line","target":{"file":"Include/pyexpat.h"},"id":"PSF-2026-23-588d9fcd","deprecated":false},{"digest":{"function_hash":"100837677078581469210422368217459004578","length":2990},"signature_version":"v1","source":"https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566","signature_type":"Function","target":{"file":"Modules/_elementtree.c","function":"_elementtree_XMLParser___init___impl"},"id":"PSF-2026-23-5e07327e","deprecated":false},{"digest":{"line_hashes":["139223617181001955104759715207834526056","228426983551421850305035845652555746849","157063243252423991660603289123046198519","126873213760035561109826808365762501927","156149891684222126871834519137026026373","285177093540853341381039225061555051327","123367630945934901850591089140463774569","203907525583600214249590754539200999315"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4","signature_type":"Line","target":{"file":"Modules/pyexpat.c"},"id":"PSF-2026-23-6078bfbf","deprecated":false},{"digest":{"line_hashes":["282054346468100250562588928679692945206","241745087690371911974619499003941746146"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4","signature_type":"Line","target":{"file":"Include/pyexpat.h"},"id":"PSF-2026-23-6f2ef549","deprecated":false},{"digest":{"function_hash":"282746458073661659926039957721266319977","length":1341},"signature_version":"v1","source":"https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566","signature_type":"Function","target":{"file":"Modules/pyexpat.c","function":"newxmlparseobject"},"id":"PSF-2026-23-6f360086","deprecated":false},{"digest":{"function_hash":"100837677078581469210422368217459004578","length":2990},"signature_version":"v1","source":"https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f","signature_type":"Function","target":{"file":"Modules/_elementtree.c","function":"_elementtree_XMLParser___init___impl"},"id":"PSF-2026-23-742ecc50","deprecated":false},{"digest":{"line_hashes":["331466583639241250362361799100269972853","268201616245445465644069845275318051766","162056430873582821825539244461100327069","205189259492710410910413780725664212883"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a","signature_type":"Line","target":{"file":"Modules/_elementtree.c"},"id":"PSF-2026-23-7545dd1a","deprecated":false},{"digest":{"line_hashes":["331466583639241250362361799100269972853","268201616245445465644069845275318051766","162056430873582821825539244461100327069","205189259492710410910413780725664212883"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4","signature_type":"Line","target":{"file":"Modules/_elementtree.c"},"id":"PSF-2026-23-7594aa45","deprecated":false},{"digest":{"function_hash":"282746458073661659926039957721266319977","length":1341},"signature_version":"v1","source":"https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4","signature_type":"Function","target":{"file":"Modules/pyexpat.c","function":"newxmlparseobject"},"id":"PSF-2026-23-7afd403d","deprecated":false},{"digest":{"line_hashes":["200809790425200767353365779645814661145","338571468881071273146244236238519698763","158710132041207750309477001233984228072","52491913065894657274224157621680217981","231686096489310269328649624848028668734","9764412166215748283159686165100133222","143444819121599425158698232384205236527"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a","signature_type":"Line","target":{"file":"Include/internal/pycore_pyhash.h"},"id":"PSF-2026-23-96e32c16","deprecated":false},{"digest":{"function_hash":"282746458073661659926039957721266319977","length":1341},"signature_version":"v1","source":"https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a","signature_type":"Function","target":{"file":"Modules/pyexpat.c","function":"newxmlparseobject"},"id":"PSF-2026-23-a310f3cc","deprecated":false},{"digest":{"line_hashes":["139223617181001955104759715207834526056","228426983551421850305035845652555746849","157063243252423991660603289123046198519","126873213760035561109826808365762501927","156149891684222126871834519137026026373","285177093540853341381039225061555051327","123367630945934901850591089140463774569","203907525583600214249590754539200999315"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a","signature_type":"Line","target":{"file":"Modules/pyexpat.c"},"id":"PSF-2026-23-b03a43ed","deprecated":false},{"digest":{"line_hashes":["331466583639241250362361799100269972853","268201616245445465644069845275318051766","162056430873582821825539244461100327069","205189259492710410910413780725664212883"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f","signature_type":"Line","target":{"file":"Modules/_elementtree.c"},"id":"PSF-2026-23-b1b9434c","deprecated":false},{"digest":{"line_hashes":["139223617181001955104759715207834526056","228426983551421850305035845652555746849","157063243252423991660603289123046198519","126873213760035561109826808365762501927","156149891684222126871834519137026026373","285177093540853341381039225061555051327","123367630945934901850591089140463774569","203907525583600214249590754539200999315"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566","signature_type":"Line","target":{"file":"Modules/pyexpat.c"},"id":"PSF-2026-23-b72642ca","deprecated":false},{"digest":{"line_hashes":["139223617181001955104759715207834526056","228426983551421850305035845652555746849","157063243252423991660603289123046198519","126873213760035561109826808365762501927","156149891684222126871834519137026026373","285177093540853341381039225061555051327","123367630945934901850591089140463774569","203907525583600214249590754539200999315"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f","signature_type":"Line","target":{"file":"Modules/pyexpat.c"},"id":"PSF-2026-23-e48a3ebd","deprecated":false},{"digest":{"line_hashes":["200809790425200767353365779645814661145","338571468881071273146244236238519698763","158710132041207750309477001233984228072","52491913065894657274224157621680217981","231686096489310269328649624848028668734","9764412166215748283159686165100133222","143444819121599425158698232384205236527"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4","signature_type":"Line","target":{"file":"Include/internal/pycore_pyhash.h"},"id":"PSF-2026-23-e9ebe48a","deprecated":false},{"digest":{"function_hash":"282746458073661659926039957721266319977","length":1341},"signature_version":"v1","source":"https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f","signature_type":"Function","target":{"file":"Modules/pyexpat.c","function":"newxmlparseobject"},"id":"PSF-2026-23-ea80eeb2","deprecated":false},{"digest":{"line_hashes":["282054346468100250562588928679692945206","241745087690371911974619499003941746146"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f","signature_type":"Line","target":{"file":"Include/pyexpat.h"},"id":"PSF-2026-23-f133fdd1","deprecated":false}]}}],"schema_version":"1.7.5"}