Neethi denial of service via XML (CVE-2026-42402)
CVE-2026-42402
CVE-2026-42402: Apache Neethi 3.x denial of service via crafted XML exhausting JVM memory (CVSS 7.5). Upgrade to Neethi 3.2.2 to limit alternatives.
Vendor-confirmed - CVE-2026-42402 is a high-severity denial-of-service in Apache Neethi 3.x that lets unauthenticated attackers crash the JVM by sending a specially crafted WS-Policy document. Patched in version 3.2.2 - upgrade to prevent memory exhaustion.
Overview
CVE-2026-42402 is an algorithmic complexity vulnerability in the policy normalization component of Apache Neethi. The library is used by Apache CXF and other SOAP-based services to process WS-Policy documents. When Neethi normalizes a specially crafted policy, the algorithm can generate an exponential Cartesian cross-product of policy alternatives. This unbounded expansion consumes all available JVM heap memory, resulting in a complete denial of service.
The vulnerability is exploitable over the network (CVSS 3.1 AV:N/AC:L/PR:N/UI:N) with Low attack complexity and no authentication required. An attacker only needs to submit a malformed WS-Policy document to a service that uses Neethi for policy processing. The EPSS probability of exploitation in the next 30 days is 0.0%, and this issue is not confirmed to be actively exploited.
Impact
An unauthenticated attacker can trigger the algorithmic complexity trap without any user interaction. The impact is a complete denial of service on the target service and any other services sharing the same JVM heap. The attack does not require special privileges or network access beyond the ability to reach the policy-processing endpoint. The cardinal weakness is that the computational cost of normalizing the input grows without bound relative to the input size.
Remediation and Mitigation
Upgrade: Apache Neethi 3.2.2 introduces a configurable limit on the maximum number of normalized policy alternatives. Upgrade to this version or later to prevent the unbounded expansion and eliminate the vulnerability.
Mitigation (if upgrade is not immediately possible): Block or restrict access to WS-Policy processing endpoints from untrusted networks. Validate or limit the size and complexity of incoming WS-Policy documents at a reverse proxy or API gateway. Consider disabling policy normalization if your application does not require it.
Security Insight
CVE-2026-42402 is a textbook example of algorithmic complexity attacks against XML processing libraries — the same class of attack that affected XML parsers with the billion laughs attack (XML bomb) and hash-collision denial-of-service against Java Map libraries. The fact that it took over a decade of WS-Policy usage for someone to find and fix this flaw in Neethi underscores how easily complexity vulnerabilities hide in mature libraries. Vendors should consider algorithmic complexity as a first-class threat during code review, particularly in any component that transforms, expands, or normalizes structured input. See the related Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalog for another recent Java-based DoS vector.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references Policy B which references Pol...
Microsoft Defender Denial of Service Vulnerability...
Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates ...
A vulnerability in the DHCP snooping feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause BOOTP packets to be forwarded between VLANs, resulting in a denial of ser...