Apache Neethi stack overflow via circular refs (CVE-2026-42403)

Vendor-confirmed - CVE-2026-42403 is a high-severity denial-of-service vulnerability in Apache Neethi that lets an attacker cause a stack overflow or application hang by sending a policy document with circular references. No active exploitation has been observed; users are recommended to upgrade to version 3.2.2.

Overview

Apache Neethi is a library for building WS-Policy documents, used by Apache web services to define policy assertions. CVE-2026-42403 arises because Neethi does not detect circular references in policy definitions. When an attacker sends a WS-Policy document containing a circular chain - Policy A references Policy B, which references Policy A - the policy normalization process enters an infinite loop or triggers excessive recursion. This results in either a stack overflow, crashing the application, or a complete hang that makes the service unresponsive to legitimate requests.

The vulnerability is exploitable remotely with no authentication and no user interaction required (CVSS 7.5, AV:N/AC:L/PR:N/UI:N). An attacker can craft a small, simple malicious document and send it to any endpoint that processes WS-Policy with Apache Neethi. The resulting denial of service blocks all legitimate traffic until the process is manually restarted, impacting availability for the duration of the hang.

Impact

• Denial of service via application crash or hang.
• No data leakage, privilege escalation, or remote code execution is possible.
• Affects any service that uses Apache Neethi to parse or normalize WS-Policy documents. If you run Apache CXF, Axis2, or any custom WS-Policy consumer relying on Neethi, you are in scope.
• No authentication barrier - any network-accessible endpoint processing policy documents can be targeted.

Remediation

Upgrade to Fixed Version

The vendor has released Apache Neethi 3.2.2, which adds circular reference detection. Update your dependency to this version or later.

Maven:

<dependency>
    <groupId>org.apache.neethi</groupId>
    <artifactId>neethi</artifactId>
    <version>3.2.2</version>
</dependency>

Mitigation (If Upgrade Is Not Immediately Possible)

• Restrict network access to endpoints that accept WS-Policy documents to trusted IP ranges only.
• Apply input size limits or timeout values for policy processing in your application server or reverse proxy to limit the impact of a hang attempt.
• Monitor application logs for stack overflow errors or unusually high CPU/memory usage on WS-Policy processing threads.

Security Insight

CVE-2026-42403 is a reminder that even mature libraries for infrastructure protocols - WS-Policy has existed for two decades - can harbor simple but impactful recursion bugs. This class of vulnerability (CWE-835, Loop with Unreachable Exit Condition) is often missed because code paths for “maliciously ill-formed” input are not tested. The low exploit probability (EPSS 0.0%) does not reduce the operational cost of a single successful denial of service. For context, similar circular-reference bugs in XML parsers have been found in Apache Xerces (CVE-2003-0546) and libxml2. The fix here is straightforward with no performance regression risk, making upgrading the clear decision over mitigation. Read more about how a related vulnerability in Apache ActiveMQ was added to CISA’s KEV catalog.

Further Reading

• Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalo
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs