Description
Duplicate of CVE-2026-32287
Published: 2026-03-23
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: Denial of Service (resource exhaustion)
Action: Patch Now
AI Analysis

Impact

The vulnerability lies in the GitHub package antchfx/xpath, which is used by several Red Hat products. A remote attacker can submit specially crafted Boolean XPath expressions that evaluate to true, causing the logicalQuery.Select function to enter an infinite loop. This loop drives CPU usage to 100 % and results in a denial of service for the affected system.

Affected Systems

Any installation of the Red Hat Compliance Operator, File Integrity Operator, Migration Toolkit for Applications 8, Advanced Cluster Management for Kubernetes, Enterprise Linux 9 or 10, OpenShift Container Platform 4, or OpenShift distributed tracing that incorporates the antchfx/xpath library may be vulnerable. No specific version numbers are listed in the reference data, so the risk applies to all current releases of those products that depend on the impacted library.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, though the EPSS score is not available and the vulnerability is not yet listed in the CISA KEV catalog. The attack vector is inferred to be remote, via submission of crafted Boolean expressions to any service that processes XPath queries. If exploited, the effect is a system‑wide denial of service due to CPU exhaustion, potentially affecting availability of critical services.

Generated by OpenCVE AI on March 23, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update all Red Hat packages that depend on antchfx/xpath to the latest available release

Generated by OpenCVE AI on March 23, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
Title Github.com/antchfx/xpath: xpath: denial of service via crafted boolean xpath expressions github.com/antchfx/xpath: xpath: Denial of Service via crafted Boolean XPath expressions
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
References

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in the `github.com/antchfx/xpath` component. A remote attacker could exploit this vulnerability by submitting crafted Boolean XPath expressions that evaluate to true. This can cause an infinite loop in the `logicalQuery.Select` function, leading to 100% CPU utilization and a Denial of Service (DoS) condition for the affected system. Duplicate of CVE-2026-32287
CPEs cpe:/a:redhat:acm:2
cpe:/a:redhat:migration_toolkit_applications:8
cpe:/a:redhat:openshift:4
cpe:/a:redhat:openshift_compliance_operator:1
cpe:/a:redhat:openshift_distributed_tracing:3
cpe:/a:redhat:openshift_file_integrity_operator:1
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat acm
Redhat migration Toolkit Applications
Redhat openshift

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat advanced Cluster Management For Kubernetes
Redhat migration Toolkit For Applications
Redhat openshift Container Platform
Vendors & Products Redhat advanced Cluster Management For Kubernetes
Redhat migration Toolkit For Applications
Redhat openshift Container Platform

Tue, 24 Mar 2026 02:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 23 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in the `github.com/antchfx/xpath` component. A remote attacker could exploit this vulnerability by submitting crafted Boolean XPath expressions that evaluate to true. This can cause an infinite loop in the `logicalQuery.Select` function, leading to 100% CPU utilization and a Denial of Service (DoS) condition for the affected system.
Title Github.com/antchfx/xpath: xpath: denial of service via crafted boolean xpath expressions
First Time appeared Redhat
Redhat acm
Redhat enterprise Linux
Redhat migration Toolkit Applications
Redhat openshift
Redhat openshift Compliance Operator
Redhat openshift Distributed Tracing
Redhat openshift File Integrity Operator
Weaknesses CWE-835
CPEs cpe:/a:redhat:acm:2
cpe:/a:redhat:migration_toolkit_applications:8
cpe:/a:redhat:openshift:4
cpe:/a:redhat:openshift_compliance_operator:1
cpe:/a:redhat:openshift_distributed_tracing:3
cpe:/a:redhat:openshift_file_integrity_operator:1
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat acm
Redhat enterprise Linux
Redhat migration Toolkit Applications
Redhat openshift
Redhat openshift Compliance Operator
Redhat openshift Distributed Tracing
Redhat openshift File Integrity Operator
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Redhat Advanced Cluster Management For Kubernetes Enterprise Linux Migration Toolkit For Applications Openshift Compliance Operator Openshift Container Platform Openshift Distributed Tracing Openshift File Integrity Operator
cve-icon MITRE

Status: REJECTED

Assigner: redhat

Published:

Updated: 2026-03-30T08:01:39.710Z

Reserved: 2026-03-23T12:21:39.096Z

Link: CVE-2026-4645

cve-icon Vulnrichment

Updated:

cve-icon NVD

Status : Rejected

Published: 2026-03-23T14:16:36.063

Modified: 2026-03-30T08:16:18.693

Link: CVE-2026-4645

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-17T20:58:59Z

Links: CVE-2026-4645 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:49:04Z

Weaknesses