- CVE-2026-7210 + CVE-2026-41080 (paired): backport libexpat 16-byte salt API (XML_SetHashSalt16Bytes) into bundled expat 2.2.8 and wire pyexpat/_elementtree to use it. Together these restore proper hash-flood mitigation. * CVE-2026-7210 (cpython side, gh-149018 / 24b8f12): xml.parsers.expat and xml.etree.ElementTree used the legacy 8-byte XML_SetHashSalt API, which can be brute-forced to trigger hash collisions. Adds a hashsalt16[16] field to _Py_HashSecret_t in Include/object.h (seeded by _PyRandom_Init), exposes a NULL-able SetHashSalt16Bytes function pointer in the pyexpat CAPI struct, and prefers the new 16-byte API whenever XML_COMBINED_VERSION >= 20800. * CVE-2026-41080 (libexpat side, PR #1183): widens m_hash_secret_salt in the bundled libexpat 2.2.8 source tree (Modules/expat/) from `unsigned long` to a `struct sipkey` (128 bits) and adds the new public XML_SetHashSalt16Bytes() entry point. The bundled pyexpat.so / _elementtree.so are statically linked against this tree, so the cpython half can now consume full 16-byte entropy in every build configuration (no external libexpat >= 2.8.0 requirement).