Denial of Service Due to Unbounded Array Allocation in Apache OpenNLP
CVE-2026-42440

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Opennlp
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-42440?

The vulnerability exists within the AbstractModelReader methods in Apache OpenNLP, where attacker-controlled values can lead to unbounded array allocations during model file deserialization. This allows an attacker to craft a .bin model file that, when loaded, can trigger an OutOfMemoryError, resulting in service disruption. This issue affects any code path that deserializes .bin models, making it critical for users to upgrade to the latest versions for mitigation.

Affected Version(s)

Apache OpenNLP 0 < 2.5.9

Apache OpenNLP 3.0 < 3.0.0-M3

References

https://lists.apache.org/thread/s8xlkx1gqbxfsq48py5h6jphj...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Apr 27, 2026

Credit

Subramanian S

CVE-2026-42440 Data

JSON