[Security-announce][CVE-2026-4224] Stack overflow parsing XML with deeply nested DTD content models

March 16, 2026

      There is a HIGH severity vulnerability
affecting CPython.
When an Expat parser with a registered ElementDeclHandler parses an inline
document type definition containing a deeply nested content model a C stack
overflow occurs.
Please see the linked CVE ID for the latest information on
affected versions:

https://www.cve.org/CVERecord?id=CVE-2026-4224
https://github.com/python/cpython/commit/eb0e8be3a7e11b87d198a2c3af1ed0eccf5...

[Security-announce][CVE-2026-4224] Stack overflow parsing XML with deeply nested DTD content models

Stan Ulbrych