CVE-2026-41080 — Insufficient Entropy in Project Libexpat

CWE-331 — Insufficient Entropy7 documents5 sources
Severity
2.9LOWNVD
EPSS
No EPSS data
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Libexpat Project Libexpat
Timeline
PublishedApr 16

Description

libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 1.4 | Impact: 1.4

Affected Packages1 packages

â–¶CVEListV5libexpat_project/libexpat< 2.7.6

🔴Vulnerability Details

2
CVEList
CVE-2026-41080: libexpat before 2↗2026-04-16
â–¶
VulDB
libexpat up to 2.7.5 XML Document entropy (ID 47 / EUVD-2026-23276)↗2026-04-16
â–¶

📋Vendor Advisories

1
Red Hat
libexpat: expat: libexpat: Denial of Service via hash flooding with crafted XML↗2026-04-16
â–¶

💬Community

3
Bugzilla
CVE-2026-41080 libexpat: expat: libexpat: Denial of Service via hash flooding with crafted XML↗2026-04-16
â–¶
Bugzilla
CVE-2026-41080 expat: libexpat: Denial of Service via hash flooding with crafted XML [fedora-all]↗2026-04-16
â–¶
Bugzilla
CVE-2026-41080 mingw-expat: libexpat: Denial of Service via hash flooding with crafted XML [fedora-all]↗2026-04-16
â–¶
CVE-2026-41080 — Insufficient Entropy | cvebase