CVE-2026-45186 Overview
CVE-2026-45186 is a denial of service vulnerability in libexpat versions prior to 2.8.1. The flaw exists in the computational complexity of attribute name collision checks within the XML parser. An attacker can submit moderately sized crafted XML input to trigger excessive CPU consumption. The vulnerability is classified under [CWE-407] (Inefficient Algorithmic Complexity) and is exploitable over the network without authentication or user interaction. Libexpat is a widely deployed C library used by browsers, language runtimes, and system utilities to parse XML, making the impact broad across downstream consumers.
Critical Impact
Remote attackers can cause denial of service in any application linking libexpat by submitting small, specially crafted XML documents that exhaust CPU resources during attribute name collision checking.
Affected Products
- libexpat versions prior to 2.8.1
- Applications and language runtimes embedding vulnerable libexpat builds
- Linux distributions and operating systems shipping libexpat as a system library
Discovery Timeline
- 2026-05-10 - CVE-2026-45186 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-45186
Vulnerability Analysis
The vulnerability is an algorithmic complexity flaw in libexpat's XML attribute processing path. When parsing element start tags, libexpat must verify that no two attributes within the same element share a name. In versions before 2.8.1, the collision-check routine scales poorly as the number of attributes grows. An attacker can craft an element containing many attributes whose names share prefixes or trigger worst-case comparisons. The parser then performs an excessive number of string comparisons, consuming CPU time disproportionate to input size. Because the input itself remains moderately sized, the attack does not require large payloads or bandwidth. Applications that parse untrusted XML, including SOAP services, configuration handlers, RSS readers, and document processors, can be rendered unresponsive.
Root Cause
The root cause is inefficient algorithmic design in the attribute collision check. The check exhibits non-linear time complexity relative to attribute count, allowing crafted input to dominate parser execution time. The upstream fix introduced through the libexpat pull request #1216 restructures this comparison logic to bound the runtime cost.
Attack Vector
Exploitation requires only the ability to deliver XML input to a process linked against vulnerable libexpat. The attacker submits a crafted XML document containing an element with a specifically chosen set of attribute names. The parser enters the collision-check routine and consumes CPU cycles until the request completes or times out. No authentication, privileges, or user interaction are required. Repeated submissions can sustain a denial of service condition against XML-parsing endpoints such as web services, mail filters, or document ingestion pipelines.
No verified proof-of-concept code is publicly available. See the OpenWall OSS Security disclosure and the libexpat pull request #1216 for technical details on the fix.
Detection Methods for CVE-2026-45186
Indicators of Compromise
- Sustained high CPU utilization in processes performing XML parsing without corresponding throughput increase
- HTTP requests containing XML payloads with unusually high attribute counts per element
- Timeouts or worker exhaustion in SOAP, XML-RPC, or REST endpoints accepting XML bodies
- Repeated submissions of small XML documents from a single source coinciding with service degradation
Detection Strategies
- Inventory all binaries and packages linking libexpat and compare installed versions against 2.8.1
- Inspect XML traffic at application gateways for elements containing excessive attributes
- Profile CPU time spent inside libexpat symbols during request processing to identify hotspots
- Monitor application logs for parser timeouts, aborted requests, or watchdog terminations on XML handlers
Monitoring Recommendations
- Establish baselines for CPU consumption of XML-parsing services and alert on sustained deviations
- Track request duration percentiles for XML endpoints and flag long-tail latency spikes
- Correlate source IP, request rate, and parser CPU time to identify abuse patterns
How to Mitigate CVE-2026-45186
Immediate Actions Required
- Upgrade libexpat to version 2.8.1 or later across all systems and container images
- Identify embedded copies of libexpat in third-party software and apply vendor updates as they become available
- Apply request size and attribute count limits at API gateways handling untrusted XML
- Rebuild and redeploy applications that statically link libexpat against the patched library
Patch Information
The fix is upstream in libexpat 2.8.1. The corrective change is tracked in the libexpat pull request #1216, which restructures the attribute name collision check to eliminate the algorithmic complexity issue. Linux distribution maintainers are publishing backports; consult distribution security advisories for package-specific versions.
Workarounds
- Enforce strict input size and attribute-per-element limits in front of XML parsers when patching is not immediately possible
- Place CPU and memory cgroup limits on processes handling untrusted XML to contain resource exhaustion
- Disable XML interfaces that are not required by the application
- Route untrusted XML through a hardened pre-parser or schema validator that rejects malformed or excessive structures
# Verify installed libexpat version on Debian/Ubuntu
dpkg -l | grep libexpat
# Verify on RHEL/CentOS/Fedora
rpm -q expat
# Upgrade examples
sudo apt-get update && sudo apt-get install --only-upgrade libexpat1
sudo dnf update expat
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
