Hi!
pyexpat calls XML_SetHashSalt which only passes 4 to 8 bytes of entropy to protect against hash flooding. Expat 2.8.0 introduced a new API function XML_SetHashSalt16Bytes that allows CPython to pass sufficient entropy (16 bytes). Please make pyexpat call XML_SetHashSalt16Bytes when compiled against recent enough Expat to fix what is known as CVE-2026-41080 to Expat itself for CPython. The change log of Expat 2.8.0 has more details.
Thanks and best, Sebastian
CC #149017
Linked PRs
Hi!
pyexpat calls
XML_SetHashSaltwhich only passes 4 to 8 bytes of entropy to protect against hash flooding. Expat 2.8.0 introduced a new API functionXML_SetHashSalt16Bytesthat allows CPython to pass sufficient entropy (16 bytes). Please make pyexpat callXML_SetHashSalt16Byteswhen compiled against recent enough Expat to fix what is known as CVE-2026-41080 to Expat itself for CPython. The change log of Expat 2.8.0 has more details.Thanks and best, Sebastian
CC #149017
Linked PRs
XML_SetHashSalt16Bytesinpyexpat/_elementtreewhen possible #149023