CVE-2026-4224

When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/python/cpython/commit/196edfb06a7458377d4d0f4b3cd41724c1f3bd4a	Patch
https://github.com/python/cpython/commit/642865ddf4b232da1f3b1f7abcfa3254c4bfe785	Patch
https://github.com/python/cpython/commit/af856a7177326ac25d9f66cc6dd28b554d914fee	Patch
https://github.com/python/cpython/commit/e0a8a6da90597a924b300debe045cdb4628ee1f3	Patch
https://github.com/python/cpython/commit/eb0e8be3a7e11b87d198a2c3af1ed0eccf532768	Patch
https://github.com/python/cpython/issues/145986	Issue Tracking
https://github.com/python/cpython/pull/145987	Patch
https://mail.python.org/archives/list/security-announce@python.org/thread/5M7CGUW3XBRY7II4DK43KF7NQQ3TPZ6R/	Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/03/16/4	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python:3.15.0:alpha1::::::
	cpe:2.3:a:python:python:3.15.0:alpha2::::::
	cpe:2.3:a:python:python:3.15.0:alpha3::::::
	cpe:2.3:a:python:python:3.15.0:alpha4::::::
	cpe:2.3:a:python:python:3.15.0:alpha5::::::
	cpe:2.3:a:python:python:3.15.0:alpha6::::::
	cpe:2.3:a:python:python:3.15.0:alpha7::::::

History

04 Jun 2026, 19:33

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
First Time		Python Python python
CPE		cpe:2.3:a:python:python:3.15.0:alpha4:::::: cpe:2.3:a:python:python:3.15.0:alpha7:::::: cpe:2.3:a:python:python:3.15.0:alpha1:::::: cpe:2.3:a:python:python:3.15.0:alpha6:::::: cpe:2.3:a:python:python:::::::: cpe:2.3:a:python:python:3.15.0:alpha3:::::: cpe:2.3:a:python:python:3.15.0:alpha2:::::: cpe:2.3:a:python:python:3.15.0:alpha5::::::
References	~~() https://github.com/python/cpython/commit/196edfb06a7458377d4d0f4b3cd41724c1f3bd4a -~~	() https://github.com/python/cpython/commit/196edfb06a7458377d4d0f4b3cd41724c1f3bd4a - Patch
References	~~() https://github.com/python/cpython/commit/642865ddf4b232da1f3b1f7abcfa3254c4bfe785 -~~	() https://github.com/python/cpython/commit/642865ddf4b232da1f3b1f7abcfa3254c4bfe785 - Patch
References	~~() https://github.com/python/cpython/commit/af856a7177326ac25d9f66cc6dd28b554d914fee -~~	() https://github.com/python/cpython/commit/af856a7177326ac25d9f66cc6dd28b554d914fee - Patch
References	~~() https://github.com/python/cpython/commit/e0a8a6da90597a924b300debe045cdb4628ee1f3 -~~	() https://github.com/python/cpython/commit/e0a8a6da90597a924b300debe045cdb4628ee1f3 - Patch
References	~~() https://github.com/python/cpython/commit/eb0e8be3a7e11b87d198a2c3af1ed0eccf532768 -~~	() https://github.com/python/cpython/commit/eb0e8be3a7e11b87d198a2c3af1ed0eccf532768 - Patch
References	~~() https://github.com/python/cpython/issues/145986 -~~	() https://github.com/python/cpython/issues/145986 - Issue Tracking
References	~~() https://github.com/python/cpython/pull/145987 -~~	() https://github.com/python/cpython/pull/145987 - Patch
References	~~() https://mail.python.org/archives/list/security-announce@python.org/thread/5M7CGUW3XBRY7II4DK43KF7NQQ3TPZ6R/ -~~	() https://mail.python.org/archives/list/security-announce@python.org/thread/5M7CGUW3XBRY7II4DK43KF7NQQ3TPZ6R/ - Third Party Advisory
References	~~() http://www.openwall.com/lists/oss-security/2026/03/16/4 -~~	() http://www.openwall.com/lists/oss-security/2026/03/16/4 - Mailing List, Third Party Advisory

08 Apr 2026, 13:16

Type	Values Removed	Values Added
Summary		(es) Cuando un analizador Expat con un ElementDeclHandler registrado analiza una definición de tipo de documento en línea que contiene un modelo de contenido profundamente anidado, se produce un desbordamiento de pila C.
References		() https://github.com/python/cpython/commit/642865ddf4b232da1f3b1f7abcfa3254c4bfe785 - () https://github.com/python/cpython/commit/af856a7177326ac25d9f66cc6dd28b554d914fee -

17 Mar 2026, 00:16

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2026/03/16/4 -

16 Mar 2026, 19:16

Type	Values Removed	Values Added
CWE		CWE-674

16 Mar 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-16 18:16

Updated : 2026-06-04 19:33

NVD link : CVE-2026-4224

Mitre link : CVE-2026-4224

CVE.ORG link : CVE-2026-4224

JSON object : View

Products Affected

python

python

CWE

CWE-674

Uncontrolled Recursion

7.5 /10