CVE-2026-4224 — Uncontrolled Recursion in Software Foundation Cpython
CWE-674 — Uncontrolled RecursionCWE-805 — Buffer Access with Incorrect Length Value13 documents9 sources
Severity
6.0MEDIUMNVD
EPSS
0.0%
top 91.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 16
Description
When an Expat parser with a registered ElementDeclHandler parses an inline
document type definition containing a deeply nested content model a C stack
overflow occurs.
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Affected Packages1 packages
🔴Vulnerability Details
3GHSA▶
GHSA-h46w-ffvp-4pw5: When an Expat parser with a registered ElementDeclHandler parses an inline
document type definition containing a deeply nested content model a C stack↗2026-03-16
OSV▶
CVE-2026-4224: When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack↗2026-03-16
📋Vendor Advisories
3🕵️Threat Intelligence
1💬Community
5Bugzilla▶
CVE-2026-4224 python3.15: Stack overflow parsing XML with deeply nested DTD content models [fedora-all]↗2026-03-16
Bugzilla
▶
Bugzilla▶
CVE-2026-4224 python3.13: Stack overflow parsing XML with deeply nested DTD content models [fedora-all]↗2026-03-16
Bugzilla▶
CVE-2026-4224 mingw-python3: Stack overflow parsing XML with deeply nested DTD content models [fedora-all]↗2026-03-16
Bugzilla▶
CVE-2026-4224 python3.14: Stack overflow parsing XML with deeply nested DTD content models [fedora-all]↗2026-03-16