QSearchQSearch

CVE-2026-41080

2.9 LOW

libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document

Published: 2026-04-16 · Last updated: 2026-06-12

Severity and scoring

CVSS
2.9 LOW
Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE
CWE-331

Affected products

VendorProduct
libexpat_projectlibexpat

Description

libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-50219 libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_Pa... (4.9 MEDIUM)
  • CVE-2026-25210 In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow... (6.9 MEDIUM)
  • CVE-2026-24515 In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data (2.9 LOW)
  • CVE-2025-66382 In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time (2.9 LOW)

Same CWE

  • CVE-2026-46473 Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand (7.5 HIGH)
  • CVE-2026-8700 Crypt::DSA versions before 1.20 for Perl generate seeds using rand (7.3 HIGH)
  • CVE-2026-46474 Trog::TOTP versions before 1.006 for Perl generate secrets using rand (7.5 HIGH)
  • CVE-2026-42155 Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-com...
  • CVE-2025-14972 * Countermeasures for DPA within SYMCRYPTO engine on SixG301xxx devices are not sufficiently random and will eventually repeat