CVE-2026-45186 Unknown Vendor CVE debrief

Who should care

Teams that embed or depend on libexpat for XML parsing, especially in services that accept attacker-controlled XML or process XML from untrusted sources.

Technical summary

The CVE is mapped to CWE-407 and describes a complexity-based DoS condition in libexpat before 2.8.1. NVD lists the vector as CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating availability impact rather than confidentiality or integrity impact. The source reference points to upstream GitHub pull request 1216 as the related fix context.

Defensive priority

Low overall severity, but it should be prioritized for any deployment that parses untrusted XML or exposes XML handling in user-facing or automation workflows.

Recommended defensive actions

• Upgrade libexpat to 2.8.1 or later.
• Inventory applications and libraries that bundle or link against libexpat.
• Review any XML parsing paths that accept untrusted input and apply strict input handling where feasible.
• Monitor for parsing slowdowns, timeouts, or repeated XML-processing failures in exposed services.
• Track upstream project guidance and release artifacts tied to the referenced fix work.

Evidence notes

The source corpus identifies the issue in libexpat before 2.8.1 and describes a denial of service caused by the computational complexity of attribute name collision checks. NVD metadata also provides the CVSS vector and CWE-407 classification. No CPE entries were provided in the supplied source item, so product scope is taken from the CVE description and reference context only.

Official resources