CVE-2026-7210

EUVD-2026-29178
`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
PSFCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
Affected Products (NVD)
VendorProductVersion
pythonpython
𝑥
< 3.15.0
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
pythoncpython
𝑥
< 3.13.14
CNA
pythoncpython
3.14.0 ≤
𝑥
< 3.14.6
CNA
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
python3.14
Amazon Linux 2023
0:3.14.5-1.amzn2023.0.1
fixed
python3.14-debug
Amazon Linux 2023
0:3.14.5-1.amzn2023.0.1
fixed
python3.14-debuginfo
Amazon Linux 2023
0:3.14.5-1.amzn2023.0.1
fixed
python3.14-debugsource
Amazon Linux 2023
0:3.14.5-1.amzn2023.0.1
fixed
python3.14-devel
Amazon Linux 2023
0:3.14.5-1.amzn2023.0.1
fixed
python3.14-freethreading
Amazon Linux 2023
0:3.14.5-1.amzn2023.0.1
fixed
python3.14-freethreading-debug
Amazon Linux 2023
0:3.14.5-1.amzn2023.0.1
fixed
python3.14-freethreading-devel
Amazon Linux 2023
0:3.14.5-1.amzn2023.0.1
fixed
python3.14-freethreading-idle
Amazon Linux 2023
0:3.14.5-1.amzn2023.0.1
fixed
python3.14-freethreading-libs
Amazon Linux 2023
0:3.14.5-1.amzn2023.0.1
fixed
python3.14-freethreading-test
Amazon Linux 2023
0:3.14.5-1.amzn2023.0.1
fixed
python3.14-freethreading-tkinter
Amazon Linux 2023
0:3.14.5-1.amzn2023.0.1
fixed
python3.14-idle
Amazon Linux 2023
0:3.14.5-1.amzn2023.0.1
fixed
python3.14-libs
Amazon Linux 2023
0:3.14.5-1.amzn2023.0.1
fixed
python3.14-test
Amazon Linux 2023
0:3.14.5-1.amzn2023.0.1
fixed
python3.14-tkinter
Amazon Linux 2023
0:3.14.5-1.amzn2023.0.1
fixed
Common Weakness Enumeration
References
https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4
https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566
https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a
https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f
https://github.com/python/cpython/issues/149018
https://github.com/python/cpython/pull/149023
https://mail.python.org/archives/list/security-announce@python.org/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/
http://www.openwall.com/lists/oss-security/2026/05/11/13
http://www.openwall.com/lists/oss-security/2026/05/11/8