diff --git a/meta/recipes-devtools/python/python3/CVE-2026-7210.patch b/meta/recipes-devtools/python/python3/CVE-2026-7210.patch
new file mode 100644
index 0000000000..337130d9b7
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2026-7210.patch
@@ -0,0 +1,136 @@
+From a7fafeebaf33995556a37e9eec4f6a6bcfce2e67 Mon Sep 17 00:00:00 2001
+From: Stan Ulbrych <stan@python.org>
+Date: Sun, 10 May 2026 18:36:26 +0100
+Subject: [PATCH] gh-149018: Use `XML_SetHashSalt16Bytes` in `pyexpat`/`_elementtree` when possible (#149023)
+
+CVE-2026-7210 is a hash-flooding denial-of-service vulnerability in
+Python's XML parsing modules (xml.parsers.expat, xml.etree.ElementTree).
+An attacker can craft XML input that forces O(n²) hash collisions in
+libexpat's internal name dictionary, causing excessive CPU consumption.
+
+The previous mitigation seeded libexpat's hash function with only 4
+bytes of entropy, which is insufficient against a determined attacker.
+This patch upgrades to XML_SetHashSalt16Bytes (libexpat >= 2.8.0),
+providing a full 16-byte secret. Older expat versions fall back
+gracefully to the legacy XML_SetHashSalt via a runtime NULL check.
+
+NOTE: CVE-2026-7210 full mitigation requires the companion
+    expat CVE-2026-41080 patch (raises expat to >= 2.8.0 API)
+
+CVE: CVE-2026-7210
+Upstream-Status: Backport [https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4]
+
+Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
+---
+ Include/internal/pycore_pyhash.h                       |  8 +++++---
+ Include/pyexpat.h                                      |  3 +++
+ .../2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst     |  3 +++
+ Modules/_elementtree.c                                 |  8 ++++++--
+ Modules/pyexpat.c                                      | 10 +++++++++-
+ 5 files changed, 26 insertions(+), 6 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst
+
+diff --git a/Include/internal/pycore_pyhash.h b/Include/internal/pycore_pyhash.h
+index 84cb72fa6fd..3056dc44cc0 100644
+--- a/Include/internal/pycore_pyhash.h
++++ b/Include/internal/pycore_pyhash.h
+@@ -27,14 +27,14 @@ _Py_HashPointerRaw(const void *ptr)
+  *   pppppppp ssssssss ........  fnv -- two Py_hash_t
+  *   k0k0k0k0 k1k1k1k1 ........  siphash -- two uint64_t
+  *   ........ ........ ssssssss  djbx33a -- 16 bytes padding + one Py_hash_t
+- *   ........ ........ eeeeeeee  pyexpat XML hash salt
++ *   eeeeeeee eeeeeeee eeeeeeee  pyexpat XML hash salt
+  *
+  * memory layout on 32 bit systems
+  *   cccccccc cccccccc cccccccc  uc
+  *   ppppssss ........ ........  fnv -- two Py_hash_t
+  *   k0k0k0k0 k1k1k1k1 ........  siphash -- two uint64_t (*)
+  *   ........ ........ ssss....  djbx33a -- 16 bytes padding + one Py_hash_t
+- *   ........ ........ eeee....  pyexpat XML hash salt
++ *   eeeeeeee eeeeeeee eeee....  pyexpat XML hash salt
+  *
+  * (*) The siphash member may not be available on 32 bit platforms without
+  *     an unsigned int64 data type.
+@@ -58,7 +58,9 @@ typedef union {
+         Py_hash_t suffix;
+     } djbx33a;
+     struct {
+-        unsigned char padding[16];
++        /* 16 bytes for XML_SetHashSalt16Bytes */
++        uint8_t hashsalt16[16];
++        /* 4/8 bytes for legacy XML_SetHashSalt */
+         Py_hash_t hashsalt;
+     } expat;
+ } _Py_HashSecret_t;
+diff --git a/Include/pyexpat.h b/Include/pyexpat.h
+index 04548b7684a..d28d6828975 100644
+--- a/Include/pyexpat.h
++++ b/Include/pyexpat.h
+@@ -57,6 +57,9 @@ struct PyExpat_CAPI
+         XML_Parser parser, unsigned long long activationThresholdBytes);
+     XML_Bool (*SetAllocTrackerMaximumAmplification)(
+         XML_Parser parser, float maxAmplificationFactor);
++    /* might be NULL for expat < 2.8.0 */
++    XML_Bool (*SetHashSalt16Bytes)(
++        XML_Parser parser, const uint8_t entropy[16]);
+     /* always add new stuff to the end! */
+ };
+ 
+diff --git a/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst b/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst
+new file mode 100644
+index 00000000000..d1b5b368684
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-04-26-19-30-45.gh-issue-149018.a9SqWb.rst
+@@ -0,0 +1,3 @@
++Improved protection against XML hash-flooding attacks in
++:mod:`xml.parsers.expat` and :mod:`xml.etree.ElementTree` when Python is
++compiled with libExpat 2.8.0 or later.
+diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c
+index 7ca03f1561b..44d59fcb806 100644
+--- a/Modules/_elementtree.c
++++ b/Modules/_elementtree.c
+@@ -3724,8 +3724,12 @@ _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject *target,
+         PyErr_NoMemory();
+         return -1;
+     }
+-    /* expat < 2.1.0 has no XML_SetHashSalt() */
+-    if (EXPAT(st, SetHashSalt) != NULL) {
++    // Prefer 16-byte entropy, only expat >= 2.8.0. See gh-149018
++    if (EXPAT(st, SetHashSalt16Bytes) != NULL) {
++        EXPAT(st, SetHashSalt16Bytes)(self->parser,
++                                      _Py_HashSecret.expat.hashsalt16);
++    }
++    else if (EXPAT(st, SetHashSalt) != NULL) {
+         EXPAT(st, SetHashSalt)(self->parser,
+                            (unsigned long)_Py_HashSecret.expat.hashsalt);
+     }
+diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c
+index f82f8456e48..437fd5fb61a 100644
+--- a/Modules/pyexpat.c
++++ b/Modules/pyexpat.c
+@@ -1416,7 +1416,11 @@ newxmlparseobject(pyexpat_state *state, const char *encoding,
+         Py_DECREF(self);
+         return NULL;
+     }
+-#if XML_COMBINED_VERSION >= 20100
++#if defined(XML_BACKPORT_SET_HASH_SALT_16_BYTES) \
++    || XML_COMBINED_VERSION >= 20800
++    /* This feature was added upstream in libexpat 2.8.0. */
++    XML_SetHashSalt16Bytes(self->itself, _Py_HashSecret.expat.hashsalt16);
++#elif XML_COMBINED_VERSION >= 20100
+     /* This feature was added upstream in libexpat 2.1.0. */
+     XML_SetHashSalt(self->itself,
+                     (unsigned long)_Py_HashSecret.expat.hashsalt);
+@@ -2310,6 +2313,12 @@ pyexpat_exec(PyObject *mod)
+ #else
+     capi->SetHashSalt = NULL;
+ #endif
++#if defined(XML_BACKPORT_SET_HASH_SALT_16_BYTES) \
++    || XML_COMBINED_VERSION >= 20800
++    capi->SetHashSalt16Bytes = XML_SetHashSalt16Bytes;
++#else
++    capi->SetHashSalt16Bytes = NULL;
++#endif
+ #if XML_COMBINED_VERSION >= 20600
+     capi->SetReparseDeferralEnabled = XML_SetReparseDeferralEnabled;
+ #else
diff --git a/meta/recipes-devtools/python/python3_3.14.5.bb b/meta/recipes-devtools/python/python3_3.14.5.bb
index ed413dc1fe..83f6bf426c 100644
--- a/meta/recipes-devtools/python/python3_3.14.5.bb
+++ b/meta/recipes-devtools/python/python3_3.14.5.bb
@@ -36,6 +36,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
            file://0001-test_only_active_thread-skip-problematic-test.patch \
            file://0001-prefer-valid-entrypoints.patch \
            file://0001-Fix-ThreadingMock-call-count-race-condition.patch \
+           file://CVE-2026-7210.patch \
            "
 SRC_URI:append:class-native = " \
            file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \
