CVE-2026-42402
Last modified
CVE-2026-42402 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the JVM heap. EPSS estimates a 0.71% chance of exploitation in the next 30 days.
Description
Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the JVM heap. This occurs when the normalization process generates an excessive number of policy alternatives without bounds, leading to runtime memory exhaustion. Users should upgrade to 3.2.2 which limits the maximum number of normalized policy alternatives.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Neethi | < 3.2.2 |
References
- https://lists.apache.org/thread/p826j0phhmr9f83wzpmys1y0bdfrr2q4Mailing List, Vendor Advisory
- http://www.openwall.com/lists/oss-security/2026/05/01/6Mailing List, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-42402?
How severe is CVE-2026-42402?
How do I fix CVE-2026-42402?
Are you affected by CVE-2026-42402?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST