CVE-2026-45186
Description
RHSA-2026:22721: expat security update (Important)
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description libexpat: denial of service via crafted XML input Red Hat statement To exploit this issue, an attacker needs to be able to process a specially crafted XML file or input with an application linked to the libexpat library. Also, the only security impact of this flaw is a high consumption of CPU resources that can eventually cause a denial of service. Due to this reason, thisβ¦
Description
libexpat: denial of service via crafted XML input
Red Hat statement
To exploit this issue, an attacker needs to be able to process a specially crafted XML file or input with an application linked to the libexpat library. Also, the only security impact of this flaw is a high consumption of CPU resources that can eventually cause a denial of service. Due to this reason, this vulnerability has been rated with an important severity.
CVSS v3: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 10 | expat | Affected |
| Red Hat Enterprise Linux 6 | compat-expat1 | Affected |
| Red Hat Enterprise Linux 6 | expat | Will not fix |
| Red Hat Enterprise Linux 7 | expat | Affected |
| Red Hat Enterprise Linux 8 | expat | Affected |
| Red Hat Enterprise Linux 8 | mingw-expat | Affected |
| Red Hat Enterprise Linux 9 | expat | Affected |
| Red Hat JBoss Core Services | libexpat-2.dll | Affected |
Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Enterprise Linux 10 | Affected |
| redhat | Red Hat Enterprise Linux 6 | Affected |
| redhat | Red Hat Enterprise Linux 7 | Affected |
| redhat | Red Hat Enterprise Linux 8 | Affected |
| redhat | Red Hat Enterprise Linux 8 | Affected |
| redhat | Red Hat Enterprise Linux 9 | Affected |
| redhat | Red Hat JBoss Core Services | Affected |
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| β | Affected | β |
Windows Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| β | Affected | β |
Debian Mixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Affected | β |
| sid | Fixed | 2.8.0-2 |
| forky | Fixed | 2.8.0-2 |
| bullseye | Affected | β |
| bookworm | Affected | β |
AlmaLinux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | expat-devel-2.5.0-2.el8_10.i686.rpm |
Red Hat Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | β |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| libexpat_project | libexpat | {"endExcluding":"2.8.1"} | 2.8.1 |
References
- https://github.com/libexpat/libexpat/pull/1216
- http://www.openwall.com/lists/oss-security/2026/05/11/16
- https://security-tracker.debian.org/tracker/CVE-2026-45186
- https://www.suse.com/security/cve/CVE-2026-45186.html
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45186
- https://access.redhat.com/errata/RHSA-2026:22721
- https://bugzilla.redhat.com/2468575
- https://errata.almalinux.org/8/ALSA-2026-22721.html
CWEs
CWE-407
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.