VYPR
High severity7.5NVD Advisory· Published May 1, 2026· Updated May 1, 2026

CVE-2026-42402

CVE-2026-42402

Description

Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the JVM heap. This occurs when the normalization process generates an excessive number of policy alternatives without bounds, leading to runtime memory exhaustion.

Users should upgrade to 3.2.2 which limits the maximum number of normalized policy alternatives.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.neethi:neethiMaven
< 3.2.23.2.2

Affected products

6

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.