CVE-2026-42402 HIGH

CVE-2026-42402: Apache Neethi: Policy Normalization Unbounded Resource Allocation DoS

Vendor Apache Software Foundation

Product Apache Neethi

Weakness CWE-400

Published May 1, 2026

Last update May 1, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

Description

Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the JVM heap. This occurs when the normalization process generates an excessive number of policy alternatives without bounds, leading to runtime memory exhaustion. Users should upgrade to 3.2.2 which limits the maximum number of normalized policy alternatives.

Key dates

Disclosure timeline

May 1, 2026 CVE published

May 1, 2026 Record updated