CVE-2026-45186EXPLOITEDPATCHED

libexpat_project · libexpat

CVE-2026-45186: In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via

Description

Fix quadratic runtime from attribute name collision checks that allowed denial of service attacks through moderately sized crafted XML input.

Affected Products

Vendor	Product	Versions
libexpat_project	libexpat	0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
ibm	http	cert_advisory	90%
open source	expat	cert_advisory	90%

References

https://github.com/libexpat/libexpat/pull/1216

Related News (6 articles)

Tier B

BSI Advisories32d ago

[NEU] [hoch] IBM HTTP Server: Mehrere Schwachstellen

→ No new info (linked only)

Tier C

oss-security47d ago

libexpat 2.8.1 fixes CVE-2026-45186 (denial of service)

→ No new info (linked only)

Tier E

Lobsters Security47d ago

Expat 2.8.1 released, CVE-2026-45186 and CVSS unreliability

→ No new info (linked only)

Tier B

BSI Advisories48d ago

[NEU] [niedrig] expat: Schwachstelle ermöglicht Denial of Service

→ No new info (linked only)

CVSS 3.12.9 LOW

VectorCVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

2.8.1

CWECWE-407

PublishedMay 10, 2026

Last enriched47d agov3

Community Vote

0 upvotes0 downvotes

No votes yet

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 10, 2026

Discovered by ZDM

May 10, 2026

Updated: affectedVersions, severity, tags

May 10, 2026

Actively Exploited

May 10, 2026

Exploit Available

May 10, 2026

Patch Available

May 10, 2026

Updated: description, exploitAvailable, activelyExploited

May 11, 2026

Version History

Last enriched 47d ago

v3Tier C47d ago

Updated description with more technical detail, marked exploit as available, and noted that the vulnerability is actively exploited.

descriptionexploitAvailableactivelyExploited

via oss-security

v2Tier C49d ago

Updated affected versions to include 2.8.0, changed severity to MEDIUM, and noted that there is no available exploit.

affectedVersionsseveritytags

via VulDB

v149d ago

Initial creation

CVE-2026-45186: In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via

Description

Affected Products

Also Affects

References

Related News (6 articles)

Community Vote

Related CVEs (3)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History