Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
A flaw was found in the github.com/antchfx/xpath component. A remote attacker could exploit this vulnerability by submitting crafted Boolean XPath expressions that evaluate to true. This can cause an infinite loop in the logicalQuery.Select function, leading to 100% CPU utilization and a Denial of Service (DoS) condition for the affected system.
AnalysisAI
The antchfx/xpath component in Debian is vulnerable to denial of service when processing specially crafted Boolean XPath expressions, which trigger an infinite loop in the logicalQuery.Select function consuming 100% CPU resources. Unauthenticated remote attackers can exploit this over the network without user interaction to disable affected systems. No patch is currently available.
Technical ContextAI
The vulnerability exists in the github.com/antchfx/xpath library, a Go implementation for XPath query evaluation. The root cause is classified as CWE-835 (Loop with Unreachable Exit Condition / Infinite Loop) in the logicalQuery.Select function. When processing Boolean XPath expressions, the function fails to properly handle certain true-evaluating conditions, leading to an unbounded loop. Affected products include Red Hat Compliance Operator (cpe:2.3:a:red_hat:compliance_operator), Red Hat File Integrity Operator (cpe:2.3:a:red_hat:file_integrity_operator), and Red Hat Migration Toolkit for Applications 8 (cpe:2.3:a:red_hat:migration_toolkit_for_applications_8) across Red Hat Enterprise Linux 9 and 10, as well as OpenShift Container Platform 4, OpenShift Distributed Tracing 3, and Advanced Cluster Management for Kubernetes 2 environments. The vulnerability impacts any application using this XPath library to process untrusted XPath queries.
RemediationAI
Update the github.com/antchfx/xpath library to a version containing the fix committed in https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494. For Red Hat product users, monitor https://access.redhat.com/security/cve/CVE-2026-4645 for vendor-specific patches and apply updates as they become available for Compliance Operator, File Integrity Operator, Migration Toolkit for Applications 8, OpenShift Container Platform 4, Advanced Cluster Management for Kubernetes 2, and OpenShift Distributed Tracing 3. As an interim mitigation, implement input validation and sanitization for XPath expressions before processing, restrict access to XPath query interfaces to trusted sources only, and deploy rate limiting or resource constraints to prevent complete CPU exhaustion. Consider implementing application-level timeouts for XPath query execution to contain the impact of infinite loops.
Same technique Denial Of Service
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bookworm, bullseye | vulnerable | 1.1.2-2 | - |
| trixie | vulnerable | 1.3.3-1 | - |
| forky, sid | fixed | 1.3.6-1 | - |
| (unstable) | fixed | 1.3.6-1 | - |
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Public Cloud 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Public Cloud 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Manager Proxy 4.3 | Fixed |
| SUSE Manager Retail Branch Server 4.3 | Fixed |
| SUSE Manager Server 4.3 | Fixed |
| SUSE Enterprise Storage 7 | Fixed |
| SUSE Enterprise Storage 7.1 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP2 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | Fixed |
| SUSE Linux Enterprise Module for Public Cloud 15 SP2 | Fixed |
| SUSE Linux Enterprise Module for Public Cloud 15 SP3 | Fixed |
| SUSE Linux Enterprise Server 15 SP2 | Fixed |
| SUSE Linux Enterprise Server 15 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Manager Proxy 4.1 | Fixed |
| SUSE Manager Proxy 4.2 | Fixed |
| SUSE Manager Retail Branch Server 4.1 | Fixed |
| SUSE Manager Retail Branch Server 4.2 | Fixed |
| SUSE Manager Server 4.1 | Fixed |
| SUSE Manager Server 4.2 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14434
GHSA-x7cq-7pqm-2pgr