CVE-2026-41080: libexpat 2.8.0 fixes CVE-2026-41080 (insufficient entropy)

Q: What is the severity of CVE-2026-41080?

CVE-2026-41080 has been classified as a moderate severity vulnerability due to the potential for hash flooding attacks.

Q: How do I fix CVE-2026-41080?

To mitigate CVE-2026-41080, upgrade to libexpat version 2.7.6 or later.

Q: What type of attacks are possible with CVE-2026-41080?

CVE-2026-41080 may lead to denial of service attacks through hash flooding via crafted XML documents.

Q: Which versions of libexpat are affected by CVE-2026-41080?

Versions of libexpat prior to 2.7.6 are affected by CVE-2026-41080.

Q: Is CVE-2026-41080 exploitable in production environments?

Yes, CVE-2026-41080 could potentially be exploited in production environments that process untrusted XML data.

Published Apr 16, 2026

Updated

libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.

Affected Software

3 affected components

Expat libexpat<2.7.6

Libexpat Project Libexpat<2.7.6

Libexpat Project Libexpat<2.8.0

Remediation

Patch Available

https://github.com/libexpat/libexpat/pull/1183

Event History

Apr 16, 2026

CVE Published

via MITRE·04:52 PM

Data Sourced

via MITRE·04:52 PM

DescriptionSeverityWeakness

Data Sourced

via NVD·05:16 PM

RemedyDescriptionSeverityWeaknessAffected Software

Frequently Asked Questions

What is the severity of CVE-2026-41080?

CVE-2026-41080 has been classified as a moderate severity vulnerability due to the potential for hash flooding attacks.

How do I fix CVE-2026-41080?

To mitigate CVE-2026-41080, upgrade to libexpat version 2.7.6 or later.

What type of attacks are possible with CVE-2026-41080?