CVE-2026-42402 - Vulnerability Details

- Apache Neethi: Policy Normalization Unbounded Resource Allocation DoS

Description

Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the JVM heap. This occurs when the normalization process generates an excessive number of policy alternatives without bounds, leading to runtime memory exhaustion.

Users should upgrade to 3.2.2 which limits the maximum number of normalized policy alternatives.

Published: 2026-05-01

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Apache Neethi software is vulnerable to a denial‑of‑service condition caused by algorithmic complexity in policy normalization. The implementation expands policy alternatives using a Cartesian cross‑product without a defined limit, leading to unbounded memory allocation that can exhaust the JVM heap. As a result, an attacker can trigger a service crash or severe performance degradation through specially crafted WS‑Policy documents. The weakness is identified as CWE‑400, which highlights unbounded resource consumption.

Affected Systems

All installations of Apache Neethi up to the 3.2.1 release are affected. The vendor recommends upgrading to version 3.2.2 or later, where a maximum limit on normalized policy alternatives is enforced. There are no other specific vendor or product exceptions listed.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity denial‑of‑service vulnerability. The EPSS score is < 1%, indicating a very low but nonzero likelihood of exploitation. The lack of a KEV listing suggests that no widespread attacks are currently reported. The most probable attack vector involves an attacker submitting a malicious WS‑Policy document to a service that uses Neethi for policy handling. If successful, the attacker can cause the process to consume all heap memory, leading to a crash or significant slowdown.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache Neethi

unaffected

Version	Status	Constraints
`0`	affected	< 3.2.2

Configuration 1 [-]

cpe:2.3:a:apache:neethi:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Apache Neethi to version 3.2.2 or later to enforce a limit on normalized policy alternatives.
Configure the JVM heap size to a safe level using -Xmx to mitigate potential memory exhaustion.
Restrict access to components that process WS‑Policy documents to trusted networks or users to limit exposure.

Generated by OpenCVE AI on May 2, 2026 at 07:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/01/6
https://lists.apache.org/thread/p826j0phhmr9f83wzpmys1y0bdfrr2q4

History

Fri, 01 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache neethi
CPEs		cpe:2.3:a:apache:neethi::::::::
Vendors & Products		Apache Apache neethi

Fri, 01 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/01/6

Fri, 01 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 01 May 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the JVM heap. This occurs when the normalization process generates an excessive number of policy alternatives without bounds, leading to runtime memory exhaustion. Users should upgrade to 3.2.2 which limits the maximum number of normalized policy alternatives.
Title		Apache Neethi: Policy Normalization Unbounded Resource Allocation DoS
Weaknesses		CWE-400
References		https://lists.apache.org/thread/p826j0phhmr9f83wzpmys1y0bdfrr2q4
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Apache Neethi

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-05-01T08:54:41.427Z

Updated: 2026-05-01T16:21:05.909Z

Reserved: 2026-04-27T10:27:13.637Z

Link: CVE-2026-42402

Vulnrichment

Updated: 2026-05-01T16:21:05.909Z

NVD

Status : Analyzed

Published: 2026-05-01T09:16:16.980

Modified: 2026-05-01T18:08:59.950

Link: CVE-2026-42402

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T08:00:14Z

Weaknesses

CWE-400

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object