CVE-2026-45186: libexpat 2.8.1 fixes CVE-2026-45186 (denial of service)
Published May 10, 2026
·Updated
In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.
Affected Software
2 affected components
Expat libexpat<2.8.1
Libexpat Project Libexpat<2.8.1
Remediation
Patch Available
Event History
May 10, 2026
CVE Published
via MITRE·06:36 AM
Data Sourced
via MITRE·06:36 AM
DescriptionSeverityWeakness
Data Sourced
via Red Hat·07:01 AM
DescriptionSeverityAffected Software
Data Sourced
via NVD·07:16 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·07:16 AM
RemedyAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2026-45186?
CVE-2026-45186 is classified as a denial of service vulnerability.
2
How do I fix CVE-2026-45186?
To mitigate CVE-2026-45186, upgrade to libexpat version 2.8.1 or later.
3
What are the risks associated with CVE-2026-45186?
The risks include potential service downtime due to the careful crafting of XML input.
4
Which versions of libexpat are affected by CVE-2026-45186?
CVE-2026-45186 affects libexpat versions prior to 2.8.1.
5
Can CVE-2026-45186 impact production environments?
Yes, if exploited, CVE-2026-45186 can lead to service interruptions in production environments.