Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN484
_____________________________________________________________________

DATE                : 12/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running CPython.

=====================================================================
https://mail.python.org/archives/list/security-announce@python.org/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/
_____________________________________________________________________


[CVE-2026-7210] The expat and elementtree parsers use insufficient
entropy for XML hash-flooding protection

Stan Ulbrych
11 mai 2026 11:58

There is a MEDIUM severity vulnerability affecting CPython.

xml.parsers.expat and xml.etree.ElementTree use insufficient entropy
for Expat hash-flooding protection, which allows a crafted XML document
to trigger hash flooding.

Fully mitigating this vulnerability requires both updating libexpat to
2.8.0 or later and applying this patch.

Please see the linked CVE ID for the latest information on affected
versions:

    https://www.cve.org/CVERecord?id=CVE-2026-7210
    https://github.com/python/cpython/pull/149023

Best regards,
Stan Ulbrych.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================