CVE-2026-41080: libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.

Overview

Severity

Low (CVSS 2.9)

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Exploit Status

Not Exploited

Patch Tuesday

2026-Apr

Released

2026-04-18

Last Updated

2026-06-02

EPSS Score

0.01% (percentile: 2.1%)

Affected Products (7)

Open Source Software

• cbl2 expat 2.6.4-4 on CBL Mariner 2.0
• azl3 python3 3.12.9-10 on Azure Linux 3.0
• azl3 expat 2.6.4-5 on Azure Linux 3.0
• azl3 expat 2.6.4-6 on Azure Linux 3.0
• cbl2 cmake 3.21.4-23 on CBL Mariner 2.0
• cbl2 python3 3.9.19-19 on CBL Mariner 2.0

Other

• 21119-17084

Revision History

• 2026-04-18: Information published.
• 2026-04-25: Information published.
• 2026-04-29: Information published.
• 2026-05-01: Information published.
• 2026-05-02: Information published.
• 2026-05-19: Information published.
• 2026-06-02: Information published.