Denial of Service Vulnerability in Apache Neethi Affecting Memory Allocation
CVE-2026-42402

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Neethi
Vendor: CVE Published:; 1 May 2026

What is CVE-2026-42402?

Apache Neethi exhibits a vulnerability that can be exploited to execute a Denial of Service attack due to its handling of WS-Policy documents. The flaw arises from the algorithmic complexity during the policy normalization process, which can lead to the system exhausting its memory. When specially crafted WS-Policy documents are processed, they can trigger an exponential increase in the number of normalized policy alternatives, pushing the JVM heap to its limits. Users are advised to upgrade to version 3.2.2 to mitigate this issue, as this version enforces a cap on the maximum number of normalized policy alternatives.

Affected Version(s)

Apache Neethi 0 < 3.2.2

References

https://lists.apache.org/thread/p826j0phhmr9f83wzpmys1y0b...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2026
Vulnerability Reserved
Apr 27, 2026

CVE-2026-42402 Data

JSON