CVE-2026-7210

Name	CVE-2026-7210
Description	`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
pypy3 (PTS)	bullseye	7.3.5+dfsg-2+deb11u2	vulnerable
	bullseye (security)	7.3.5+dfsg-2+deb11u5	vulnerable
	bookworm	7.3.11+dfsg-2+deb12u3	vulnerable
	trixie	7.3.19+dfsg-2	vulnerable
	forky, sid	7.3.23+dfsg-1	vulnerable
python2.7 (PTS)	bullseye	2.7.18-8+deb11u1	vulnerable
python3.11 (PTS)	bookworm	3.11.2-6+deb12u7	vulnerable
	bookworm (security)	3.11.2-6+deb12u3	vulnerable
python3.13 (PTS)	trixie	3.13.5-2+deb13u2	vulnerable
	forky, sid	3.13.12-1	vulnerable
python3.14 (PTS)	forky, sid	3.14.5-1	vulnerable
python3.9 (PTS)	bullseye	3.9.2-1	vulnerable
	bullseye (security)	3.9.2-1+deb11u7	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency
pypy3	source	(unstable)	(unfixed)
python2.7	source	bullseye	(unfixed)	end-of-life
python2.7	source	(unstable)	(unfixed)
python3.11	source	(unstable)	(unfixed)
python3.13	source	(unstable)	(unfixed)
python3.14	source	(unstable)	(unfixed)
python3.9	source	(unstable)	(unfixed)

Notes

[trixie] - python3.13 <no-dsa> (Minor issue)
[bookworm] - python3.11 <no-dsa> (Minor issue)
[bullseye] - python3.9 <postponed> (Minor issue, wait for expat update)
[bullseye] - python2.7 <end-of-life> (not supported in bullseye)
[trixie] - pypy3 <no-dsa> (Minor issue)
[bookworm] - pypy3 <no-dsa> (Minor issue)
[bullseye] - pypy3 <postponed> (Minor issue)
https://mail.python.org/archives/list/security-announce@python.org/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/
https://github.com/python/cpython/issues/149018
https://github.com/python/cpython/pull/149023
https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4 (main)
https://github.com/python/cpython/pull/149645 (3.15)
https://github.com/python/cpython/pull/149646 (3.14)
Fully mitigating this vulnerability requires fixing both libexpat
(CVE-2026-41080) and applying the python patch for CVE-2026-7210.