Skip to main content

Apache OpenNLP CVE-2026-42440

| EUVDEUVD-2026-27031 HIGH
Memory Allocation with Excessive Size Value (CWE-789)
2026-05-04 apache GHSA-659w-93r5-9j6m
7.5
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Generated
May 05, 2026 - 16:24 vuln.today
CVSS changed
May 05, 2026 - 16:22 NVD
7.5 (HIGH)
Patch available
May 04, 2026 - 18:32 EUVD
Patch released
May 04, 2026 - 18:16 nvd
Patch available
EUVD ID Assigned
May 04, 2026 - 17:15 euvd
EUVD-2026-27031
CVE Published
May 04, 2026 - 16:40 nvd
N/A

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 maven packages depend on org.apache.opennlp:opennlp-tools (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.0.0-M1.

DescriptionCVE.org

OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader

Versions Affected:

before 2.5.9

before 3.0.0-M3

Description:

The AbstractModelReader methods getOutcomes(), getOutcomePatterns(), and getPredicates() each read a 32-bit signed integer count field from a binary model stream and pass that value directly to an array allocation (new String[numOutcomes], new int[numOCTypes][], new String[NUM_PREDS]) without validating that the value is non-negative or within a reasonable bound. The count is therefore fully attacker-controlled when the model file originates from an untrusted source.

A crafted .bin model file in which any of these count fields is set to Integer.MAX_VALUE (or any value large enough to exhaust the available heap) triggers an OutOfMemoryError at the array allocation itself, before the corresponding label or pattern data is consumed from the stream. The error occurs very early in deserialization: for a GIS model, getOutcomes() is reached after only the model-type string, the correction constant, and the correction parameter have been read; so the attacker pays no meaningful size cost to weaponize a payload, and a single small file can crash a JVM that loads it. Any code path that deserializes a .bin model is affected, including direct use of GenericModelReader and any higher-level component that delegates to it during model load.

The practical impact is denial of service against processes that load model files from untrusted or semi-trusted origins.

Mitigation:

  • 2.x users should upgrade to 2.5.9.
  • 3.x users should upgrade to 3.0.0-M3.

Note: The fix introduces an upper bound on each of the three count fields, checked before array allocation; counts that are negative or exceed the bound cause an IllegalArgumentException to be thrown and the read to fail fast with no large allocation. The default bound is 10,000,000, which is well above the entry counts of legitimate OpenNLP models but far below any value that would threaten heap exhaustion. Deployments that legitimately need to load models with more entries than the default can raise the limit at JVM startup by setting the OPENNLP_MAX_ENTRIES system property to the desired positive integer (e.g. -DOPENNLP_MAX_ENTRIES=50000000); invalid or non-positive values fall back to the default.

Users who cannot upgrade immediately should treat all .bin model files as untrusted input unless their provenance is verified, and should avoid loading models supplied by end users or fetched from third-party repositories without integrity checks.

AnalysisAI

Remote denial of service in Apache OpenNLP versions before 2.5.9 and 3.0.0-M3 allows unauthenticated attackers to crash JVM processes by uploading malicious .bin model files that trigger OutOfMemoryError through unbounded array allocation. Exploitation requires no authentication (AV:N/AC:L/PR:N) and affects any code path deserializing binary model files from untrusted sources. EPSS score of 0.02% (5th percentile) suggests low widespread exploitation risk, and no active exploitation or public POC has been identified at time of analysis. Vendor-released patches are available with default safeguards limiting count fields to 10 million entries.

Technical ContextAI

Apache OpenNLP is a natural language processing library that deserializes machine learning models from binary .bin files. The vulnerability resides in AbstractModelReader's deserialization methods (getOutcomes(), getOutcomePatterns(), getPredicates()), which read 32-bit signed integer count fields from the binary stream and directly allocate Java arrays (new String[count], new int[count][]) without bounds validation. This is a classic instance of CWE-789 (Memory Allocation with Excessive Size Value), where attacker-controlled input dictates heap allocation size. The count field can be set to Integer.MAX_VALUE (2,147,483,647), causing immediate heap exhaustion before any actual data is consumed. Because the vulnerable code executes early in the deserialization sequence-after reading only the model-type string and correction parameters in GIS models-attackers can craft tiny malicious files with devastating impact. The affected CPE (cpe:2.3:a:apache_software_foundation:apache_opennlp) covers all 2.x releases before 2.5.9 and 3.0.0 milestones before M3.

RemediationAI

Upgrade to Apache OpenNLP 2.5.9 for 2.x deployments or 3.0.0-M3 for 3.x deployments. Both releases implement pre-allocation validation that rejects negative counts or values exceeding 10 million entries (default bound), throwing IllegalArgumentException before heap allocation occurs. Deployments with legitimate models exceeding 10 million entries can raise the limit via JVM system property: -DOPENNLP_MAX_ENTRIES=50000000. For environments unable to upgrade immediately, implement strict input validation: accept model files only from cryptographically signed sources or vendor-trusted repositories, verify file integrity using SHA-256 checksums published by model authors, and isolate model-loading processes in containers with heap limits (e.g., docker run -m 512m) to prevent JVM crashes from cascading to other services-though this only limits blast radius and does not prevent DoS of the isolated process. Do not expose model upload endpoints to unauthenticated users or load models from user-generated content platforms without sandboxing. Advisory and patches available at https://lists.apache.org/thread/s8xlkx1gqbxfsq48py5h6jphjvgqp1jo.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-42440 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy