{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-01T08:54:41Z",
  "bugzilla" : {
    "description" : "org.apache.neethi: Apache Neethi: Denial of Service via algorithmic complexity in policy normalization",
    "id" : "2464315",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2464315"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-770",
  "details" : [ "A flaw was found in Apache Neethi. A remote attacker can exploit this vulnerability by providing specially crafted WS-Policy documents. This triggers an algorithmic complexity issue during policy normalization, leading to an exponential expansion of policy alternatives. This unbounded memory allocation exhausts the Java Virtual Machine (JVM) heap, resulting in a Denial of Service (DoS) condition." ],
  "statement" : "This flaw is rated Moderate because Apache Neethi, as used in Red Hat products, is susceptible to a denial of service. Remote attackers can provide malicious WS-Policy documents, leading to an algorithmic complexity issue during policy normalization. This results in unbounded memory allocation, exhausting the JVM heap and causing service unavailability. In order to exploit this vulnerability, the attack should have enough privileges in the targeted system to include the maliciously crafted policy document or trick the user to consume it.",
  "affected_release" : [ {
    "product_name" : "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19835",
    "cpe" : "cpe:/a:redhat:apache_camel_quarkus:3.27",
    "package" : "neethi"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3",
    "fix_state" : "Affected",
    "package_name" : "neethi",
    "cpe" : "cpe:/a:redhat:camel_quarkus:3"
  }, {
    "product_name" : "Red Hat build of Apache Camel for Spring Boot 4",
    "fix_state" : "Fix deferred",
    "package_name" : "neethi",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:4"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Fix deferred",
    "package_name" : "neethi",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Fix deferred",
    "package_name" : "neethi",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Fix deferred",
    "package_name" : "neethi",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Fix deferred",
    "package_name" : "neethi",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Fix deferred",
    "package_name" : "neethi",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Fix deferred",
    "package_name" : "neethi",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-42402\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-42402\nhttps://lists.apache.org/thread/p826j0phhmr9f83wzpmys1y0bdfrr2q4" ],
  "name" : "CVE-2026-42402",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}