On Mon Jul 6, 2026 at 2:04 PM CEST, Amaury Couderc via lists.openembedded.org 
wrote:
> From: Amaury Couderc <[email protected]>
>
> CVE-2026-7210 is a hash-flooding denial-of-service vulnerability in
> Python's XML parsing modules (xml.parsers.expat, xml.etree.ElementTree).
> An attacker can craft XML input that forces O(n²) hash collisions in
> libexpat's internal name dictionary, causing excessive CPU consumption.
>
> The previous mitigation seeded libexpat's hash function with only 4
> bytes of entropy, which is insufficient against a determined attacker.
> This patch upgrades to XML_SetHashSalt16Bytes (libexpat >= 2.8.0),
> providing a full 16-byte secret. Older expat versions fall back
> gracefully to the legacy XML_SetHashSalt via a runtime NULL check.
>
> NOTE: CVE-2026-7210 full mitigation requires the companion
>     expat CVE-2026-41080 patch (raises expat to >= 2.8.0 API)
>
> Backport patch to fix CVE-2026-7210.
> https://nvd.nist.gov/vuln/detail/CVE-2026-7210
>
> Upstream fix:
> https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4
>
> Tested with ptest:
> Before: PASSED: 43903, FAILED: 0, SKIPPED: 2471
> After: PASSED: 43903, FAILED: 0, SKIPPED: 2471
>
> CVE: CVE-2026-7210
>
> Signed-off-by: Amaury Couderc <[email protected]>

Hello,

This CVE patch is included in the python upgrade received here:
"python3: upgrade 3.14.5 -> 3.14.6"
https://lore.kernel.org/all/[email protected]/
I'll drop this and proceed with the upgrade.

Thanks!

> ---
>  .../python/python3/CVE-2026-7210.patch        | 136 ++++++++++++++++++
>  .../recipes-devtools/python/python3_3.14.5.bb |   1 +
>  2 files changed, 137 insertions(+)
>  create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-7210.patch
>
> diff --git a/meta/recipes-devtools/python/python3/CVE-2026-7210.patch 
> b/meta/recipes-devtools/python/python3/CVE-2026-7210.patch
> new file mode 100644
> index 0000000000..337130d9b7
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python3/CVE-2026-7210.patch
> @@ -0,0 +1,136 @@
> +From a7fafeebaf33995556a37e9eec4f6a6bcfce2e67 Mon Sep 17 00:00:00 2001
> +From: Stan Ulbrych <[email protected]>
> +Date: Sun, 10 May 2026 18:36:26 +0100
> +Subject: [PATCH] gh-149018: Use `XML_SetHashSalt16Bytes` in 
> `pyexpat`/`_elementtree` when possible (#149023)
> +
> +CVE-2026-7210 is a hash-flooding denial-of-service vulnerability in
> +Python's XML parsing modules (xml.parsers.expat, xml.etree.ElementTree).
> +An attacker can craft XML input that forces O(n²) hash collisions in
> +libexpat's internal name dictionary, causing excessive CPU consumption.
> +
> +The previous mitigation seeded libexpat's hash function with only 4
> +bytes of entropy, which is insufficient against a determined attacker.
> +This patch upgrades to XML_SetHashSalt16Bytes (libexpat >= 2.8.0),
> +providing a full 16-byte secret. Older expat versions fall back
> +gracefully to the legacy XML_SetHashSalt via a runtime NULL check.
> +
> +NOTE: CVE-2026-7210 full mitigation requires the companion
> +    expat CVE-2026-41080 patch (raises expat to >= 2.8.0 API)
> +
> +CVE: CVE-2026-7210
> +Upstream-Status: Backport 
> [https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4]
> +
> +Signed-off-by: Amaury Couderc <[email protected]>
> +---
> + Include/internal/pycore_pyhash.h                       |  8 +++++---
> + Include/pyexpat.h                                      |  3 +++
> + .../2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst     |  3 +++
> + Modules/_elementtree.c                                 |  8 ++++++--
> + Modules/pyexpat.c                                      | 10 +++++++++-
> + 5 files changed, 26 insertions(+), 6 deletions(-)
> + create mode 100644 
> Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst
> +
> +diff --git a/Include/internal/pycore_pyhash.h 
> b/Include/internal/pycore_pyhash.h
> +index 84cb72fa6fd..3056dc44cc0 100644
> +--- a/Include/internal/pycore_pyhash.h
> ++++ b/Include/internal/pycore_pyhash.h
> +@@ -27,14 +27,14 @@ _Py_HashPointerRaw(const void *ptr)
> +  *   pppppppp ssssssss ........  fnv -- two Py_hash_t
> +  *   k0k0k0k0 k1k1k1k1 ........  siphash -- two uint64_t
> +  *   ........ ........ ssssssss  djbx33a -- 16 bytes padding + one Py_hash_t
> +- *   ........ ........ eeeeeeee  pyexpat XML hash salt
> ++ *   eeeeeeee eeeeeeee eeeeeeee  pyexpat XML hash salt
> +  *
> +  * memory layout on 32 bit systems
> +  *   cccccccc cccccccc cccccccc  uc
> +  *   ppppssss ........ ........  fnv -- two Py_hash_t
> +  *   k0k0k0k0 k1k1k1k1 ........  siphash -- two uint64_t (*)
> +  *   ........ ........ ssss....  djbx33a -- 16 bytes padding + one Py_hash_t
> +- *   ........ ........ eeee....  pyexpat XML hash salt
> ++ *   eeeeeeee eeeeeeee eeee....  pyexpat XML hash salt
> +  *
> +  * (*) The siphash member may not be available on 32 bit platforms without
> +  *     an unsigned int64 data type.
> +@@ -58,7 +58,9 @@ typedef union {
> +         Py_hash_t suffix;
> +     } djbx33a;
> +     struct {
> +-        unsigned char padding[16];
> ++        /* 16 bytes for XML_SetHashSalt16Bytes */
> ++        uint8_t hashsalt16[16];
> ++        /* 4/8 bytes for legacy XML_SetHashSalt */
> +         Py_hash_t hashsalt;
> +     } expat;
> + } _Py_HashSecret_t;
> +diff --git a/Include/pyexpat.h b/Include/pyexpat.h
> +index 04548b7684a..d28d6828975 100644
> +--- a/Include/pyexpat.h
> ++++ b/Include/pyexpat.h
> +@@ -57,6 +57,9 @@ struct PyExpat_CAPI
> +         XML_Parser parser, unsigned long long activationThresholdBytes);
> +     XML_Bool (*SetAllocTrackerMaximumAmplification)(
> +         XML_Parser parser, float maxAmplificationFactor);
> ++    /* might be NULL for expat < 2.8.0 */
> ++    XML_Bool (*SetHashSalt16Bytes)(
> ++        XML_Parser parser, const uint8_t entropy[16]);
> +     /* always add new stuff to the end! */
> + };
> + 
> +diff --git 
> a/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst 
> b/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst
> +new file mode 100644
> +index 00000000000..d1b5b368684
> +--- /dev/null
> ++++ 
> b/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst
> +@@ -0,0 +1,3 @@
> ++Improved protection against XML hash-flooding attacks in
> ++:mod:`xml.parsers.expat` and :mod:`xml.etree.ElementTree` when Python is
> ++compiled with libExpat 2.8.0 or later.
> +diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c
> +index 7ca03f1561b..44d59fcb806 100644
> +--- a/Modules/_elementtree.c
> ++++ b/Modules/_elementtree.c
> +@@ -3724,8 +3724,12 @@ _elementtree_XMLParser___init___impl(XMLParserObject 
> *self, PyObject *target,
> +         PyErr_NoMemory();
> +         return -1;
> +     }
> +-    /* expat < 2.1.0 has no XML_SetHashSalt() */
> +-    if (EXPAT(st, SetHashSalt) != NULL) {
> ++    // Prefer 16-byte entropy, only expat >= 2.8.0. See gh-149018
> ++    if (EXPAT(st, SetHashSalt16Bytes) != NULL) {
> ++        EXPAT(st, SetHashSalt16Bytes)(self->parser,
> ++                                      _Py_HashSecret.expat.hashsalt16);
> ++    }
> ++    else if (EXPAT(st, SetHashSalt) != NULL) {
> +         EXPAT(st, SetHashSalt)(self->parser,
> +                            (unsigned long)_Py_HashSecret.expat.hashsalt);
> +     }
> +diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c
> +index f82f8456e48..437fd5fb61a 100644
> +--- a/Modules/pyexpat.c
> ++++ b/Modules/pyexpat.c
> +@@ -1416,7 +1416,11 @@ newxmlparseobject(pyexpat_state *state, const char 
> *encoding,
> +         Py_DECREF(self);
> +         return NULL;
> +     }
> +-#if XML_COMBINED_VERSION >= 20100
> ++#if defined(XML_BACKPORT_SET_HASH_SALT_16_BYTES) \
> ++    || XML_COMBINED_VERSION >= 20800
> ++    /* This feature was added upstream in libexpat 2.8.0. */
> ++    XML_SetHashSalt16Bytes(self->itself, _Py_HashSecret.expat.hashsalt16);
> ++#elif XML_COMBINED_VERSION >= 20100
> +     /* This feature was added upstream in libexpat 2.1.0. */
> +     XML_SetHashSalt(self->itself,
> +                     (unsigned long)_Py_HashSecret.expat.hashsalt);
> +@@ -2310,6 +2313,12 @@ pyexpat_exec(PyObject *mod)
> + #else
> +     capi->SetHashSalt = NULL;
> + #endif
> ++#if defined(XML_BACKPORT_SET_HASH_SALT_16_BYTES) \
> ++    || XML_COMBINED_VERSION >= 20800
> ++    capi->SetHashSalt16Bytes = XML_SetHashSalt16Bytes;
> ++#else
> ++    capi->SetHashSalt16Bytes = NULL;
> ++#endif
> + #if XML_COMBINED_VERSION >= 20600
> +     capi->SetReparseDeferralEnabled = XML_SetReparseDeferralEnabled;
> + #else
> diff --git a/meta/recipes-devtools/python/python3_3.14.5.bb 
> b/meta/recipes-devtools/python/python3_3.14.5.bb
> index ed413dc1fe..83f6bf426c 100644
> --- a/meta/recipes-devtools/python/python3_3.14.5.bb
> +++ b/meta/recipes-devtools/python/python3_3.14.5.bb
> @@ -36,6 +36,7 @@ SRC_URI = 
> "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
>             file://0001-test_only_active_thread-skip-problematic-test.patch \
>             file://0001-prefer-valid-entrypoints.patch \
>             file://0001-Fix-ThreadingMock-call-count-race-condition.patch \
> +           file://CVE-2026-7210.patch \
>             "
>  SRC_URI:append:class-native = " \
>             
> file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \


-- 
Yoann Congal
Smile ECS

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#240497): 
https://lists.openembedded.org/g/openembedded-core/message/240497
Mute This Topic: https://lists.openembedded.org/mt/120138099/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to