Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAB8XdGA94hPGPZ15tGj9C_jH4S73DWN+9xh68GGga4+Sm2yLGw@mail.gmail.com>
Date: Fri, 1 May 2026 09:19:13 +0100
From: Colm O hEigeartaigh <coheigea@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-42402: Apache Neethi: Policy Normalization Unbounded
 Resource Allocation DoS

Severity: High

Affected versions:

- Apache Neethi before 3.2.2

Description:

Apache Neethi is vulnerable to a Denial of Service attack through
algorithmic complexity in policy normalization. Specially crafted
WS-Policy documents can trigger an exponential Cartesian cross-product
expansion during the normalization process, causing unbounded memory
allocation that exhausts the JVM heap. This occurs when the
normalization process generates an excessive number of policy
alternatives without bounds, leading to runtime memory exhaustion.

Users should upgrade to 3.2.2 which limits the maximum number of
normalized policy alternatives.

References:

https://ws.apache.org/neethi/security.html
https://www.cve.org/CVERecord?id=CVE-2026-42402

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.