Cyber Posture

CVE-2026-41080

Low

Published: 16 April 2026

Published
16 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0003 9.7th percentile
Risk Priority 6 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41080 is a low-severity Insufficient Entropy (CWE-331) vulnerability in Libexpat Project Libexpat. Its CVSS base score is 2.9 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 9.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of the libexpat insufficient entropy flaw by upgrading to version 2.8.0 or later, directly eliminating hash flooding from crafted XML.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Enables scanning to identify systems with vulnerable libexpat versions prior to 2.8.0, facilitating targeted flaw remediation.

SC-5 Denial-of-service Protection partial match
prevent

Implements safeguards to limit the availability impact of local denial-of-service attacks via hash table collisions in libexpat.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Vulnerability in libexpat XML parser enables local crafted input to trigger hash collisions for application resource exhaustion and DoS via software exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.

Deeper analysisAI

CVE-2026-41080 affects libexpat versions prior to 2.8.0, where insufficient entropy in hash functions allows hash flooding through a crafted XML document. This vulnerability, classified under CWE-331 (Insufficient Entropy), enables denial-of-service conditions by degrading performance via hash table collisions. The CVSS v3.1 base score is 2.9 (AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L), reflecting low severity due to its local attack vector, high attack complexity, and limited impact on availability.

A local attacker with no privileges required can exploit this by supplying a malicious XML document to an application using the vulnerable libexpat library. The crafted input triggers hash flooding, causing excessive computation and partial denial of service, such as slowed processing or resource exhaustion in the affected component, without impacting confidentiality or integrity.

Advisories recommend upgrading to libexpat 2.8.0, which addresses the entropy issue as detailed in the release announcement on the hartwork blog, GitHub issue #47, pull request #1183, and oss-security mailing list posts from April 26, 2026. These resources confirm the fix improves hash randomization to prevent flooding attacks.

Details

CWE(s)
CWE-331

Affected Products

libexpat project
libexpat
≤ 2.7.6

CVEs Like This One

CVE-2026-25210Same product: Libexpat Project Libexpat
CVE-2025-13399Shared CWE-331
CVE-2025-29311Shared CWE-331
CVE-2020-36925Shared CWE-331
CVE-2024-53522Shared CWE-331
CVE-2026-34236Shared CWE-331
CVE-2026-22698Shared CWE-331
CVE-2025-1860Shared CWE-331
CVE-2025-1828Shared CWE-331
CVE-2025-15387Shared CWE-331

References