{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-01T08:38:16Z",
  "bugzilla" : {
    "description" : "org.apache.neethi: Apache Neethi: Denial of Service via circular policy references",
    "id" : "2464314",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2464314"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-606",
  "details" : [ "A flaw was found in Apache Neethi. An attacker can exploit this vulnerability by crafting malicious WS-Policy documents that contain circular policy references. This can cause the policy normalization process to enter an infinite loop or excessive recursion, leading to a stack overflow or application hang. Consequently, a remote attacker can trigger a Denial of Service (DoS) condition." ],
  "statement" : "This Moderate flaw in Apache Neethi allows a remote attacker to trigger a Denial of Service condition. By crafting malicious WS-Policy documents with circular references, an attacker can cause the policy normalization process to enter an infinite loop or excessive recursion, leading to application instability or a hang. This can disrupt services relying on Apache Neethi for policy processing. In order to exploit this vulnerability, the attack should have enough privileges in the targeted system to include the maliciously crafted policy document or trick the user to consume it.",
  "affected_release" : [ {
    "product_name" : "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19835",
    "cpe" : "cpe:/a:redhat:apache_camel_quarkus:3.27",
    "package" : "neethi"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3",
    "fix_state" : "Affected",
    "package_name" : "neethi",
    "cpe" : "cpe:/a:redhat:camel_quarkus:3"
  }, {
    "product_name" : "Red Hat build of Apache Camel for Spring Boot 4",
    "fix_state" : "Fix deferred",
    "package_name" : "neethi",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:4"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Fix deferred",
    "package_name" : "neethi",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Fix deferred",
    "package_name" : "neethi",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Fix deferred",
    "package_name" : "neethi",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Fix deferred",
    "package_name" : "neethi",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Fix deferred",
    "package_name" : "neethi",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Fix deferred",
    "package_name" : "neethi",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-42403\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-42403\nhttps://lists.apache.org/thread/zm6t8skkkskjwk1881l4m4n0l7dqclzo" ],
  "name" : "CVE-2026-42403",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}