- CVE-2026-7210 + CVE-2026-41080 (paired): backport libexpat 16-byte salt API (XML_SetHashSalt16Bytes) into bundled expat 2.4.1 and wire pyexpat/_elementtree to use it. Together these restore proper hash-flood mitigation for xml.parsers.expat and xml.etree.ElementTree. CVE-2026-7210 (cpython 24b8f12): xml.parsers.expat and xml.etree.ElementTree used insufficient entropy (a single Py_hash_t) for Expat hash-flooding protection. The cpython half of the fix seeds the parser with the full 16-byte _Py_HashSecret.expat.hashsalt16 via XML_SetHashSalt16Bytes when the libexpat being linked exposes that API. CVE-2026-41080 (libexpat PR #1183): libexpat's hash-flood protection itself only used 4-8 bytes of entropy for the SipHash salt. The libexpat half adds the new XML_SetHashSalt16Bytes API (and widens the parser's internal salt storage to a full struct sipkey) so the 16-byte path is available. Backported into the bundled libexpat 2.4.1 tree in Modules/expat/; the bundled expat.h now also defines XML_HAS_HASHSALT16BYTES_BACKPORT so the cpython 20800 gate activates against the patched bundle without bumping the advertised libexpat version. Alpine builds use --with-system-expat and are unaffected by the libexpat backport.