Hello oss-security,
just a quick note that libexpat 2.8.1 (or "Expat 2.8.1") released yesterday is fixing CVE-2026-45186: Fix quadratic runtime from attribute name collision checks that allowed denial of service attacks through moderately sized crafted XML input (CWE-407). Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. Some key links are: - The blog post about it https://blog.hartwork.org/posts/expat-2-8-1-released/ - The change log of release 2.8.1 https://github.com/libexpat/libexpat/blob/R_2_8_1/expat/Changes - The fixing pull request https://github.com/libexpat/libexpat/pull/1216 - The NVD CVE metadata https://nvd.nist.gov/vuln/detail/CVE-2026-45186 PS: The CVE database lists an unrealistically low CVSS score for this. The complexity of an attack is very low (not "High") and the attack vector is remote (not "Local"). I have asked Mitre to fix this earlier today. My blog post linked above has a few more words on that topic. Best Sebastian
