CVE-2026-42402

EPSS 0.04%
Veröffentlicht 01.05.2026 08:54:41
Zuletzt bearbeitet 01.05.2026 18:08:59
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache Neethi: Policy Normalization Unbounded Resource Allocation DoS

Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the JVM heap. This occurs when the normalization process generates an excessive number of policy alternatives without bounds, leading to runtime memory exhaustion.

Users should upgrade to 3.2.2 which limits the maximum number of normalized policy alternatives.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Neethi Version < 3.2.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.117

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@apache.org	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://lists.apache.org/thread/p826j0phhmr9f83wzpmys1y0bdfrr2q4

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/01/6

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2026-42402

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-42402

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-42402

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-42402