{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-26T19:40:52Z",
  "bugzilla" : {
    "description" : "github.com/antchfx/xpath: github.com/antchfx/xpath: Denial of Service due to infinite loop via boolean XPath expressions",
    "id" : "2451856",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451856"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-606",
  "details" : [ "Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as \"1=1\" or \"true()\".", "A flaw was found in github.com/antchfx/xpath. An attacker could exploit this vulnerability by providing specially crafted boolean XPath expressions that evaluate to true. This can cause an infinite loop within the logicalQuery.Select function, leading to 100% CPU utilization. The consequence is a Denial of Service (DoS) condition, making the affected system unresponsive." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift distributed tracing 3.9.2",
    "release_date" : "2026-04-21T00:00:00Z",
    "advisory" : "RHSA-2026:9388",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9",
    "package" : "rhosdt/opentelemetry-collector-rhel9:sha256:0174a3a6a65cac3b13423b903c9038baaa37c6c3d6dbeee9918c5f576b4f5d7d"
  } ],
  "package_state" : [ {
    "product_name" : "Compliance Operator",
    "fix_state" : "Fix deferred",
    "package_name" : "compliance/openshift-compliance-operator-bundle",
    "cpe" : "cpe:/a:redhat:openshift_compliance_operator:1"
  }, {
    "product_name" : "Compliance Operator",
    "fix_state" : "Fix deferred",
    "package_name" : "compliance/openshift-compliance-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_compliance_operator:1"
  }, {
    "product_name" : "File Integrity Operator",
    "fix_state" : "Fix deferred",
    "package_name" : "compliance/openshift-compliance-must-gather-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_file_integrity_operator:1"
  }, {
    "product_name" : "File Integrity Operator",
    "fix_state" : "Fix deferred",
    "package_name" : "compliance/openshift-compliance-openscap-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_file_integrity_operator:1"
  }, {
    "product_name" : "File Integrity Operator",
    "fix_state" : "Fix deferred",
    "package_name" : "compliance/openshift-compliance-operator-bundle",
    "cpe" : "cpe:/a:redhat:openshift_file_integrity_operator:1"
  }, {
    "product_name" : "File Integrity Operator",
    "fix_state" : "Fix deferred",
    "package_name" : "compliance/openshift-compliance-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_file_integrity_operator:1"
  }, {
    "product_name" : "Migration Toolkit for Applications 8",
    "fix_state" : "Fix deferred",
    "package_name" : "mta/mta-cli-rhel9",
    "cpe" : "cpe:/a:redhat:migration_toolkit_applications:8"
  }, {
    "product_name" : "Migration Toolkit for Applications 8",
    "fix_state" : "Fix deferred",
    "package_name" : "mta/mta-dotnet-external-provider-rhel8",
    "cpe" : "cpe:/a:redhat:migration_toolkit_applications:8"
  }, {
    "product_name" : "Migration Toolkit for Applications 8",
    "fix_state" : "Fix deferred",
    "package_name" : "mta/mta-dotnet-external-provider-rhel9",
    "cpe" : "cpe:/a:redhat:migration_toolkit_applications:8"
  }, {
    "product_name" : "Migration Toolkit for Applications 8",
    "fix_state" : "Fix deferred",
    "package_name" : "mta/mta-generic-external-provider-rhel9",
    "cpe" : "cpe:/a:redhat:migration_toolkit_applications:8"
  }, {
    "product_name" : "Migration Toolkit for Applications 8",
    "fix_state" : "Fix deferred",
    "package_name" : "mta/mta-java-external-provider-rhel9",
    "cpe" : "cpe:/a:redhat:migration_toolkit_applications:8"
  }, {
    "product_name" : "Migration Toolkit for Applications 8",
    "fix_state" : "Fix deferred",
    "package_name" : "mta/mta-solution-server-rhel9",
    "cpe" : "cpe:/a:redhat:migration_toolkit_applications:8"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Fix deferred",
    "package_name" : "rhacm2/acm-grafana-rhel9",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "opentelemetry-collector",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "opentelemetry-collector",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Not affected",
    "package_name" : "golang1.25",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Not affected",
    "package_name" : "golang1.26",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "compliance/openshift-compliance-must-gather-rhel8",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "compliance/openshift-compliance-openscap-rhel8",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "compliance/openshift-compliance-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift distributed tracing 3",
    "fix_state" : "Fix deferred",
    "package_name" : "rhosdt/tempo-jaeger-query-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3"
  }, {
    "product_name" : "Red Hat OpenShift distributed tracing 3",
    "fix_state" : "Fix deferred",
    "package_name" : "rhosdt/tempo-query-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3"
  }, {
    "product_name" : "Red Hat OpenShift distributed tracing 3",
    "fix_state" : "Fix deferred",
    "package_name" : "rhosdt/tempo-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-32287\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32287\nhttps://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494\nhttps://github.com/antchfx/xpath/issues/121\nhttps://github.com/golang/vulndb/issues/4526\nhttps://pkg.go.dev/vuln/GO-2026-4526" ],
  "name" : "CVE-2026-32287",
  "csaw" : false
}