Cyber Resilience

CVE-2026-42403

HighDDoS

Published: 01 May 2026

Published
01 May 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0004 11.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42403 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Apache Neethi. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-42403 is a vulnerability in Apache Neethi, a Java library for processing WS-Policy documents. The issue stems from the library's failure to properly detect circular references in policy definitions. When a WS-Policy document includes circular references—such as Policy A referencing Policy B, which in turn references Policy A—the policy normalization process can enter an infinite loop or trigger excessive recursion. This results in a stack overflow or application hang, enabling a denial-of-service (DoS) condition. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-400 (Uncontrolled Resource Consumption).

An unauthenticated attacker with network access can exploit this vulnerability by crafting and delivering a malicious WS-Policy document containing circular references to any application or service that processes WS-Policy via Apache Neethi. No user interaction or privileges are required, and exploitation requires low complexity. Successful exploitation leads to resource exhaustion, causing the targeted application to hang or crash due to stack overflow, thereby disrupting service availability without impacting confidentiality or integrity.

The Apache security advisory recommends upgrading to Apache Neethi version 3.2.2, which addresses the issue by improving circular reference detection during policy normalization. Additional details are available in the official Apache announcement and oss-security mailing list discussions.

EU & UK References

Vulnerability details

Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references Policy B which references Policy A), the policy normalization process can enter an infinite loop or cause…

more

excessive recursion, leading to a stack overflow or application hang. An attacker can craft malicious policy documents with circular references to cause a Denial of Service condition Users are recommended to upgrade to version 3.2.2, which fixes this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables DoS via crafted WS-Policy input causing recursion/stack overflow, directly mapping to application/system exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42402Same product: Apache Neethi
CVE-2025-23184Same vendor: Apache
CVE-2026-42404Same product: Apache Neethi
CVE-2026-39304Same vendor: Apache
CVE-2026-49361Same vendor: Apache
CVE-2024-45626Same vendor: Apache
CVE-2026-41284Same vendor: Apache
CVE-2026-41636Same vendor: Apache
CVE-2025-53477Same vendor: Apache
CVE-2025-48431Same vendor: Apache

Affected Assets

apache
neethi
≤ 3.2.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation, directly addressing this CVE by upgrading Apache Neethi to version 3.2.2 which fixes circular reference detection.

prevent

SI-10 mandates validation of external inputs like WS-Policy documents to detect and reject those with circular references, preventing infinite loops and DoS.

prevent

SC-5 provides denial-of-service protections such as resource limits and rate controls to mitigate stack overflows and hangs from malicious policy processing.

References