{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7210", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "state": "PUBLISHED", "assignerShortName": "PSF", "dateReserved": "2026-04-27T14:43:40.042Z", "datePublished": "2026-05-11T17:19:09.784Z", "dateUpdated": "2026-06-10T18:57:50.682Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["xml", "expat"], "product": "CPython", "repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "versions": [{"version": "0", "lessThan": "3.13.14", "status": "affected", "versionType": "python"}, {"version": "3.14.0", "lessThan": "3.14.6", "status": "affected", "versionType": "python"}, {"version": "3.15.0a1", "lessThan": "3.15.0b2", "status": "affected", "versionType": "python"}]}], "credits": [{"lang": "en", "type": "coordinator", "value": "Stan Ulbrych (https://github.com/StanFromIreland)"}, {"lang": "en", "type": "remediation reviewer", "value": "Gregory P. Smith (https://github.com/gpshead)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"type": "text/html", "value": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch."}], "value": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.3, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-331", "description": "CWE-331 Insufficient entropy", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2026-06-10T18:57:50.682Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/pull/149023"}, {"tags": ["issue-tracking"], "url": "https://github.com/python/cpython/issues/149018"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f"}], "source": {"discovery": "UNKNOWN"}, "title": "The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection", "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-11T18:53:57.884366Z", "id": "CVE-2026-7210", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-11T18:54:12.868Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/05/11/8"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/11/13"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-05-11T20:34:17.811Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/05/11/8"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/11/13"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-05-11T20:34:17.811Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-7210", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-11T18:53:57.884366Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-11T18:54:05.725Z"}}], "cna": {"title": "The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "coordinator", "value": "Stan Ulbrych (https://github.com/StanFromIreland)"}, {"lang": "en", "type": "remediation reviewer", "value": "Gregory P. Smith (https://github.com/gpshead)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "modules": ["xml", "expat"], "product": "CPython", "versions": [{"status": "affected", "version": "0", "lessThan": "3.13.14", "versionType": "python"}, {"status": "affected", "version": "3.14.0", "lessThan": "3.14.6", "versionType": "python"}, {"status": "affected", "version": "3.15.0a1", "lessThan": "3.15.0b2", "versionType": "python"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/python/cpython/pull/149023", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/issues/149018", "tags": ["issue-tracking"]}, {"url": "https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f", "tags": ["patch"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.", "supportingMedia": [{"type": "text/html", "value": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch."}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-331", "description": "CWE-331 Insufficient entropy"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2026-06-10T18:57:50.682Z"}}}, "cveMetadata": {"cveId": "CVE-2026-7210", "state": "PUBLISHED", "dateUpdated": "2026-06-10T18:57:50.682Z", "dateReserved": "2026-04-27T14:43:40.042Z", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "datePublished": "2026-05-11T17:19:09.784Z", "assignerShortName": "PSF"}, "dataVersion": "5.2"}

{"affected": [{"affectedData": [{"defaultStatus": "unaffected", "modules": ["xml", "expat"], "product": "CPython", "repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "versions": [{"lessThan": "3.13.14", "status": "affected", "version": "0", "versionType": "python"}, {"lessThan": "3.14.6", "status": "affected", "version": "3.14.0", "versionType": "python"}, {"lessThan": "3.15.0b2", "status": "affected", "version": "3.15.0a1", "versionType": "python"}]}], "source": "cna@python.org"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "43B0671A-35BB-4EE4-8A68-E79B62A75547", "versionEndExcluding": "3.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch."}], "id": "CVE-2026-7210", "lastModified": "2026-06-17T11:02:00.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@python.org", "type": "Secondary"}], "ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-7210", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "role": "CISA Coordinator", "timestamp": "2026-05-11T18:53:57.884366Z", "version": "2.0.3"}}]}, "published": "2026-05-11T18:16:42.413", "references": [{"source": "cna@python.org", "tags": ["Patch"], "url": "https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4"}, {"source": "cna@python.org", "tags": ["Patch"], "url": "https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566"}, {"source": "cna@python.org", "tags": ["Patch"], "url": "https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a"}, {"source": "cna@python.org", "tags": ["Patch"], "url": "https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f"}, {"source": "cna@python.org", "tags": ["Issue Tracking"], "url": "https://github.com/python/cpython/issues/149018"}, {"source": "cna@python.org", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/python/cpython/pull/149023"}, {"source": "cna@python.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/05/11/13"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/05/11/8"}], "sourceIdentifier": "cna@python.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-331"}], "source": "cna@python.org", "type": "Secondary"}]}

{"bugzilla": {"description": "python: expat: Python/Expat: Denial of Service via crafted XML document", "id": "2469216", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2469216"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-331", "details": ["A flaw was found in the `python` and `expat` components. Insufficient entropy in the hash-flooding protection mechanism of `xml.parsers.expat` and `xml.etree.ElementTree` allows a remote attacker to craft a malicious XML document. This crafted document can trigger a hash flooding attack, leading to a denial of service (DoS) condition."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-7210", "package_state": [{"cpe": "cpe:/a:redhat:exploit_intelligence:0", "fix_state": "Fix deferred", "package_name": "exploit-intelligence-tech-preview/vulnerability-analysis-rhel9", "product_name": "Exploit Intelligence"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "python3.14", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "python", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "python", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python36:3.6/python36", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "python3.14", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "python3.9", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-aws-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-azure-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-azure-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-gaudi-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-gcp-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}], "public_date": "2026-05-11T17:19:09Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-7210\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-7210\nhttps://github.com/python/cpython/issues/149018\nhttps://github.com/python/cpython/pull/149023\nhttps://mail.python.org/archives/list/security-announce@python.org/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/"], "statement": "The impact from this flaw is limited to a denial of service in the Python runtime. Host Red Hat systems are not affected in their default configurations.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.15.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "CPython", "source": "cna", "vendor": "Python Software Foundation"}, "product": "cpython", "vendor": "python"}], "created": "2026-05-11T19:45:08.329243+00:00", "updated": "2026-05-11T20:15:09.895590+00:00", "vendors": ["python", "python$PRODUCT$cpython"]}