CVE-2026-42402
Published: 01 May 2026
Summary
CVE-2026-42402 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Apache Neethi. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation by upgrading to Apache Neethi 3.2.2 directly eliminates the algorithmic complexity vulnerability causing unbounded memory exhaustion.
Denial-of-service protections, such as resource limits on memory allocation during policy normalization, prevent exploitation leading to JVM heap exhaustion.
Input validation of WS-Policy documents rejects specially crafted inputs that trigger exponential Cartesian cross-product expansion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of a public-facing or internal application via crafted WS-Policy input to trigger resource exhaustion and crash the JVM, directly mapping to Application or System Exploitation for Endpoint Denial of Service.
NVD Description
Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the JVM heap.…
more
This occurs when the normalization process generates an excessive number of policy alternatives without bounds, leading to runtime memory exhaustion. Users should upgrade to 3.2.2 which limits the maximum number of normalized policy alternatives.
Deeper analysisAI
CVE-2026-42402 is a denial-of-service vulnerability in Apache Neethi, a Java library for processing WS-Policy documents. The issue stems from algorithmic complexity during policy normalization, where specially crafted WS-Policy inputs trigger an exponential Cartesian cross-product expansion. This generates an excessive number of policy alternatives without bounds, causing unbounded memory allocation that exhausts the JVM heap and leads to runtime crashes. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Remote, unauthenticated attackers can exploit this vulnerability by supplying malicious WS-Policy documents to applications that use vulnerable versions of Apache Neethi for policy processing. No user interaction or privileges are required, and exploitation is straightforward due to low attack complexity. Successful attacks result in high-impact availability disruption through memory exhaustion, potentially crashing the affected JVM and denying service to dependent services.
Apache advisories recommend upgrading to version 3.2.2, which mitigates the issue by limiting the maximum number of normalized policy alternatives to prevent unbounded expansion. Further details are provided in the Apache mailing list announcement at https://lists.apache.org/thread/p826j0phhmr9f83wzpmys1y0bdfrr2q4 and the OSS-Security posting at http://www.openwall.com/lists/oss-security/2026/05/01/6.
Details
- CWE(s)