USN-8520-1

Source
https://ubuntu.com/security/notices/USN-8520-1
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8520-1.json
JSON Data
https://api.osv.dev/v1/vulns/USN-8520-1
Upstream
Related
Published
2026-07-09T11:51:02Z
Modified
2026-07-09T21:44:27.849140103Z
Summary
expat vulnerability
Details

It was discovered that Expat used insufficient entropy when generating hash salt values for its internal hash table. An attacker could use this to craft an XML document that triggers hash flooding, leading to a denial of service.

References

Affected packages

Ubuntu:Pro:16.04:LTS / expat

Package

Name
expat
Purl
pkg:deb/ubuntu/expat?arch=source&distro=esm-infra-legacy%2Fxenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.0-7ubuntu0.16.04.5+esm12

Affected versions

2.*
2.1.0-7
2.1.0-7ubuntu0.16.04.1
2.1.0-7ubuntu0.16.04.2
2.1.0-7ubuntu0.16.04.3
2.1.0-7ubuntu0.16.04.4
2.1.0-7ubuntu0.16.04.5
2.1.0-7ubuntu0.16.04.5+esm2
2.1.0-7ubuntu0.16.04.5+esm5
2.1.0-7ubuntu0.16.04.5+esm6
2.1.0-7ubuntu0.16.04.5+esm7
2.1.0-7ubuntu0.16.04.5+esm8
2.1.0-7ubuntu0.16.04.5+esm9
2.1.0-7ubuntu0.16.04.5+esm10
2.1.0-7ubuntu0.16.04.5+esm11

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "2.1.0-7ubuntu0.16.04.5+esm12",
            "binary_name": "expat"
        },
        {
            "binary_version": "2.1.0-7ubuntu0.16.04.5+esm12",
            "binary_name": "lib64expat1"
        },
        {
            "binary_version": "2.1.0-7ubuntu0.16.04.5+esm12",
            "binary_name": "libexpat1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8520-1.json"
cves_map
{
    "cves": [
        {
            "severity": [
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
                },
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
                },
                {
                    "type": "Ubuntu",
                    "score": "medium"
                }
            ],
            "id": "CVE-2026-41080"
        }
    ],
    "ecosystem": "Ubuntu:Pro:16.04:LTS"
}