Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <96eb9370-0f79-45f5-9073-adab4693b192@pipping.org>
Date: Mon, 11 May 2026 22:43:24 +0200
From: Sebastian Pipping <sebastian@...ping.org>
To: oss-security@...ts.openwall.com
Subject: libexpat 2.8.1 fixes CVE-2026-45186 (denial of service)

Hello oss-security,


just a quick note that libexpat 2.8.1 (or "Expat 2.8.1") released
yesterday is fixing CVE-2026-45186:

   Fix quadratic runtime from attribute name collision checks that
   allowed denial of service attacks through moderately sized crafted
   XML input (CWE-407).
   Please note that a layer of compression around XML can significantly
   reduce the minimum attack payload size.

Some key links are:

- The blog post about it
   https://blog.hartwork.org/posts/expat-2-8-1-released/

- The change log of release 2.8.1
   https://github.com/libexpat/libexpat/blob/R_2_8_1/expat/Changes

- The fixing pull request
   https://github.com/libexpat/libexpat/pull/1216

- The NVD CVE metadata
   https://nvd.nist.gov/vuln/detail/CVE-2026-45186

PS: The CVE database lists an unrealistically low CVSS score for this.
     The complexity of an attack is very low (not "High") and the attack
     vector is remote (not "Local"). I have asked Mitre to fix this
     earlier today. My blog post linked above has a few more words on
     that topic.

Best



Sebastian

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.