Skip to main content

Debian CVE-2026-4645

| EUVDEUVD-2026-14434 HIGH
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-03-23 redhat GHSA-x7cq-7pqm-2pgr
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 23, 2026 - 14:00 euvd
EUVD-2026-14434
Analysis Generated
Mar 23, 2026 - 14:00 vuln.today
CVE Published
Mar 23, 2026 - 13:35 nvd
HIGH 7.5

DescriptionCVE.org

A flaw was found in the github.com/antchfx/xpath component. A remote attacker could exploit this vulnerability by submitting crafted Boolean XPath expressions that evaluate to true. This can cause an infinite loop in the logicalQuery.Select function, leading to 100% CPU utilization and a Denial of Service (DoS) condition for the affected system.

AnalysisAI

The antchfx/xpath component in Debian is vulnerable to denial of service when processing specially crafted Boolean XPath expressions, which trigger an infinite loop in the logicalQuery.Select function consuming 100% CPU resources. Unauthenticated remote attackers can exploit this over the network without user interaction to disable affected systems. No patch is currently available.

Technical ContextAI

The vulnerability exists in the github.com/antchfx/xpath library, a Go implementation for XPath query evaluation. The root cause is classified as CWE-835 (Loop with Unreachable Exit Condition / Infinite Loop) in the logicalQuery.Select function. When processing Boolean XPath expressions, the function fails to properly handle certain true-evaluating conditions, leading to an unbounded loop. Affected products include Red Hat Compliance Operator (cpe:2.3:a:red_hat:compliance_operator), Red Hat File Integrity Operator (cpe:2.3:a:red_hat:file_integrity_operator), and Red Hat Migration Toolkit for Applications 8 (cpe:2.3:a:red_hat:migration_toolkit_for_applications_8) across Red Hat Enterprise Linux 9 and 10, as well as OpenShift Container Platform 4, OpenShift Distributed Tracing 3, and Advanced Cluster Management for Kubernetes 2 environments. The vulnerability impacts any application using this XPath library to process untrusted XPath queries.

RemediationAI

Update the github.com/antchfx/xpath library to a version containing the fix committed in https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494. For Red Hat product users, monitor https://access.redhat.com/security/cve/CVE-2026-4645 for vendor-specific patches and apply updates as they become available for Compliance Operator, File Integrity Operator, Migration Toolkit for Applications 8, OpenShift Container Platform 4, Advanced Cluster Management for Kubernetes 2, and OpenShift Distributed Tracing 3. As an interim mitigation, implement input validation and sanitization for XPath expressions before processing, restrict access to XPath query interfaces to trusted sources only, and deploy rate limiting or resource constraints to prevent complete CPU exhaustion. Consider implementing application-level timeouts for XPath query execution to contain the impact of infinite loops.

Vendor StatusVendor

Debian

golang-github-antchfx-xpath
Release Status Fixed Version Urgency
bookworm, bullseye vulnerable 1.1.2-2 -
trixie vulnerable 1.3.3-1 -
forky, sid fixed 1.3.6-1 -
(unstable) fixed 1.3.6-1 -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-4645 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy