On Mon Jul 6, 2026 at 2:04 PM CEST, Amaury Couderc via lists.openembedded.org wrote: > From: Amaury Couderc <[email protected]> > > CVE-2026-7210 is a hash-flooding denial-of-service vulnerability in > Python's XML parsing modules (xml.parsers.expat, xml.etree.ElementTree). > An attacker can craft XML input that forces O(n²) hash collisions in > libexpat's internal name dictionary, causing excessive CPU consumption. > > The previous mitigation seeded libexpat's hash function with only 4 > bytes of entropy, which is insufficient against a determined attacker. > This patch upgrades to XML_SetHashSalt16Bytes (libexpat >= 2.8.0), > providing a full 16-byte secret. Older expat versions fall back > gracefully to the legacy XML_SetHashSalt via a runtime NULL check. > > NOTE: CVE-2026-7210 full mitigation requires the companion > expat CVE-2026-41080 patch (raises expat to >= 2.8.0 API) > > Backport patch to fix CVE-2026-7210. > https://nvd.nist.gov/vuln/detail/CVE-2026-7210 > > Upstream fix: > https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4 > > Tested with ptest: > Before: PASSED: 43903, FAILED: 0, SKIPPED: 2471 > After: PASSED: 43903, FAILED: 0, SKIPPED: 2471 > > CVE: CVE-2026-7210 > > Signed-off-by: Amaury Couderc <[email protected]>
Hello, This CVE patch is included in the python upgrade received here: "python3: upgrade 3.14.5 -> 3.14.6" https://lore.kernel.org/all/[email protected]/ I'll drop this and proceed with the upgrade. Thanks! > --- > .../python/python3/CVE-2026-7210.patch | 136 ++++++++++++++++++ > .../recipes-devtools/python/python3_3.14.5.bb | 1 + > 2 files changed, 137 insertions(+) > create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-7210.patch > > diff --git a/meta/recipes-devtools/python/python3/CVE-2026-7210.patch > b/meta/recipes-devtools/python/python3/CVE-2026-7210.patch > new file mode 100644 > index 0000000000..337130d9b7 > --- /dev/null > +++ b/meta/recipes-devtools/python/python3/CVE-2026-7210.patch > @@ -0,0 +1,136 @@ > +From a7fafeebaf33995556a37e9eec4f6a6bcfce2e67 Mon Sep 17 00:00:00 2001 > +From: Stan Ulbrych <[email protected]> > +Date: Sun, 10 May 2026 18:36:26 +0100 > +Subject: [PATCH] gh-149018: Use `XML_SetHashSalt16Bytes` in > `pyexpat`/`_elementtree` when possible (#149023) > + > +CVE-2026-7210 is a hash-flooding denial-of-service vulnerability in > +Python's XML parsing modules (xml.parsers.expat, xml.etree.ElementTree). > +An attacker can craft XML input that forces O(n²) hash collisions in > +libexpat's internal name dictionary, causing excessive CPU consumption. > + > +The previous mitigation seeded libexpat's hash function with only 4 > +bytes of entropy, which is insufficient against a determined attacker. > +This patch upgrades to XML_SetHashSalt16Bytes (libexpat >= 2.8.0), > +providing a full 16-byte secret. Older expat versions fall back > +gracefully to the legacy XML_SetHashSalt via a runtime NULL check. > + > +NOTE: CVE-2026-7210 full mitigation requires the companion > + expat CVE-2026-41080 patch (raises expat to >= 2.8.0 API) > + > +CVE: CVE-2026-7210 > +Upstream-Status: Backport > [https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4] > + > +Signed-off-by: Amaury Couderc <[email protected]> > +--- > + Include/internal/pycore_pyhash.h | 8 +++++--- > + Include/pyexpat.h | 3 +++ > + .../2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst | 3 +++ > + Modules/_elementtree.c | 8 ++++++-- > + Modules/pyexpat.c | 10 +++++++++- > + 5 files changed, 26 insertions(+), 6 deletions(-) > + create mode 100644 > Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst > + > +diff --git a/Include/internal/pycore_pyhash.h > b/Include/internal/pycore_pyhash.h > +index 84cb72fa6fd..3056dc44cc0 100644 > +--- a/Include/internal/pycore_pyhash.h > ++++ b/Include/internal/pycore_pyhash.h > +@@ -27,14 +27,14 @@ _Py_HashPointerRaw(const void *ptr) > + * pppppppp ssssssss ........ fnv -- two Py_hash_t > + * k0k0k0k0 k1k1k1k1 ........ siphash -- two uint64_t > + * ........ ........ ssssssss djbx33a -- 16 bytes padding + one Py_hash_t > +- * ........ ........ eeeeeeee pyexpat XML hash salt > ++ * eeeeeeee eeeeeeee eeeeeeee pyexpat XML hash salt > + * > + * memory layout on 32 bit systems > + * cccccccc cccccccc cccccccc uc > + * ppppssss ........ ........ fnv -- two Py_hash_t > + * k0k0k0k0 k1k1k1k1 ........ siphash -- two uint64_t (*) > + * ........ ........ ssss.... djbx33a -- 16 bytes padding + one Py_hash_t > +- * ........ ........ eeee.... pyexpat XML hash salt > ++ * eeeeeeee eeeeeeee eeee.... pyexpat XML hash salt > + * > + * (*) The siphash member may not be available on 32 bit platforms without > + * an unsigned int64 data type. > +@@ -58,7 +58,9 @@ typedef union { > + Py_hash_t suffix; > + } djbx33a; > + struct { > +- unsigned char padding[16]; > ++ /* 16 bytes for XML_SetHashSalt16Bytes */ > ++ uint8_t hashsalt16[16]; > ++ /* 4/8 bytes for legacy XML_SetHashSalt */ > + Py_hash_t hashsalt; > + } expat; > + } _Py_HashSecret_t; > +diff --git a/Include/pyexpat.h b/Include/pyexpat.h > +index 04548b7684a..d28d6828975 100644 > +--- a/Include/pyexpat.h > ++++ b/Include/pyexpat.h > +@@ -57,6 +57,9 @@ struct PyExpat_CAPI > + XML_Parser parser, unsigned long long activationThresholdBytes); > + XML_Bool (*SetAllocTrackerMaximumAmplification)( > + XML_Parser parser, float maxAmplificationFactor); > ++ /* might be NULL for expat < 2.8.0 */ > ++ XML_Bool (*SetHashSalt16Bytes)( > ++ XML_Parser parser, const uint8_t entropy[16]); > + /* always add new stuff to the end! */ > + }; > + > +diff --git > a/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst > b/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst > +new file mode 100644 > +index 00000000000..d1b5b368684 > +--- /dev/null > ++++ > b/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst > +@@ -0,0 +1,3 @@ > ++Improved protection against XML hash-flooding attacks in > ++:mod:`xml.parsers.expat` and :mod:`xml.etree.ElementTree` when Python is > ++compiled with libExpat 2.8.0 or later. > +diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c > +index 7ca03f1561b..44d59fcb806 100644 > +--- a/Modules/_elementtree.c > ++++ b/Modules/_elementtree.c > +@@ -3724,8 +3724,12 @@ _elementtree_XMLParser___init___impl(XMLParserObject > *self, PyObject *target, > + PyErr_NoMemory(); > + return -1; > + } > +- /* expat < 2.1.0 has no XML_SetHashSalt() */ > +- if (EXPAT(st, SetHashSalt) != NULL) { > ++ // Prefer 16-byte entropy, only expat >= 2.8.0. See gh-149018 > ++ if (EXPAT(st, SetHashSalt16Bytes) != NULL) { > ++ EXPAT(st, SetHashSalt16Bytes)(self->parser, > ++ _Py_HashSecret.expat.hashsalt16); > ++ } > ++ else if (EXPAT(st, SetHashSalt) != NULL) { > + EXPAT(st, SetHashSalt)(self->parser, > + (unsigned long)_Py_HashSecret.expat.hashsalt); > + } > +diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c > +index f82f8456e48..437fd5fb61a 100644 > +--- a/Modules/pyexpat.c > ++++ b/Modules/pyexpat.c > +@@ -1416,7 +1416,11 @@ newxmlparseobject(pyexpat_state *state, const char > *encoding, > + Py_DECREF(self); > + return NULL; > + } > +-#if XML_COMBINED_VERSION >= 20100 > ++#if defined(XML_BACKPORT_SET_HASH_SALT_16_BYTES) \ > ++ || XML_COMBINED_VERSION >= 20800 > ++ /* This feature was added upstream in libexpat 2.8.0. */ > ++ XML_SetHashSalt16Bytes(self->itself, _Py_HashSecret.expat.hashsalt16); > ++#elif XML_COMBINED_VERSION >= 20100 > + /* This feature was added upstream in libexpat 2.1.0. */ > + XML_SetHashSalt(self->itself, > + (unsigned long)_Py_HashSecret.expat.hashsalt); > +@@ -2310,6 +2313,12 @@ pyexpat_exec(PyObject *mod) > + #else > + capi->SetHashSalt = NULL; > + #endif > ++#if defined(XML_BACKPORT_SET_HASH_SALT_16_BYTES) \ > ++ || XML_COMBINED_VERSION >= 20800 > ++ capi->SetHashSalt16Bytes = XML_SetHashSalt16Bytes; > ++#else > ++ capi->SetHashSalt16Bytes = NULL; > ++#endif > + #if XML_COMBINED_VERSION >= 20600 > + capi->SetReparseDeferralEnabled = XML_SetReparseDeferralEnabled; > + #else > diff --git a/meta/recipes-devtools/python/python3_3.14.5.bb > b/meta/recipes-devtools/python/python3_3.14.5.bb > index ed413dc1fe..83f6bf426c 100644 > --- a/meta/recipes-devtools/python/python3_3.14.5.bb > +++ b/meta/recipes-devtools/python/python3_3.14.5.bb > @@ -36,6 +36,7 @@ SRC_URI = > "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ > file://0001-test_only_active_thread-skip-problematic-test.patch \ > file://0001-prefer-valid-entrypoints.patch \ > file://0001-Fix-ThreadingMock-call-count-race-condition.patch \ > + file://CVE-2026-7210.patch \ > " > SRC_URI:append:class-native = " \ > > file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \ -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240497): https://lists.openembedded.org/g/openembedded-core/message/240497 Mute This Topic: https://lists.openembedded.org/mt/120138099/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
