Cyber Resilience

CVE-2026-42402

HighDDoS

Published: 01 May 2026

Published
01 May 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0004 13.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42402 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Apache Neethi. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-42402 is a denial-of-service vulnerability in Apache Neethi, a Java library for processing WS-Policy documents. The issue stems from algorithmic complexity during policy normalization, where specially crafted WS-Policy inputs trigger an exponential Cartesian cross-product expansion. This generates an excessive number of policy alternatives without bounds, causing unbounded memory allocation that exhausts the JVM heap and leads to runtime crashes. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Remote, unauthenticated attackers can exploit this vulnerability by supplying malicious WS-Policy documents to applications that use vulnerable versions of Apache Neethi for policy processing. No user interaction or privileges are required, and exploitation is straightforward due to low attack complexity. Successful attacks result in high-impact availability disruption through memory exhaustion, potentially crashing the affected JVM and denying service to dependent services.

Apache advisories recommend upgrading to version 3.2.2, which mitigates the issue by limiting the maximum number of normalized policy alternatives to prevent unbounded expansion. Further details are provided in the Apache mailing list announcement at https://lists.apache.org/thread/p826j0phhmr9f83wzpmys1y0bdfrr2q4 and the OSS-Security posting at http://www.openwall.com/lists/oss-security/2026/05/01/6.

EU & UK References

Vulnerability details

Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the JVM heap.…

more

This occurs when the normalization process generates an excessive number of policy alternatives without bounds, leading to runtime memory exhaustion. Users should upgrade to 3.2.2 which limits the maximum number of normalized policy alternatives.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability enables remote exploitation of a public-facing or internal application via crafted WS-Policy input to trigger resource exhaustion and crash the JVM, directly mapping to Application or System Exploitation for Endpoint Denial of Service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42403Same product: Apache Neethi
CVE-2025-23184Same vendor: Apache
CVE-2026-42404Same product: Apache Neethi
CVE-2026-39304Same vendor: Apache
CVE-2026-49361Same vendor: Apache
CVE-2024-45626Same vendor: Apache
CVE-2026-41284Same vendor: Apache
CVE-2026-41636Same vendor: Apache
CVE-2025-53477Same vendor: Apache
CVE-2025-48431Same vendor: Apache

Affected Assets

apache
neethi
≤ 3.2.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation by upgrading to Apache Neethi 3.2.2 directly eliminates the algorithmic complexity vulnerability causing unbounded memory exhaustion.

prevent

Denial-of-service protections, such as resource limits on memory allocation during policy normalization, prevent exploitation leading to JVM heap exhaustion.

prevent

Input validation of WS-Policy documents rejects specially crafted inputs that trigger exponential Cartesian cross-product expansion.

References