Infinite Loop DoS via Crafted Boolean XPath in antchfx/xpath
CVE-2026-4645 Published on March 23, 2026

Github.com/antchfx/xpath: xpath: denial of service via crafted boolean xpath expressions
A flaw was found in the `github.com/antchfx/xpath` component. A remote attacker could exploit this vulnerability by submitting crafted Boolean XPath expressions that evaluate to true. This can cause an infinite loop in the `logicalQuery.Select` function, leading to 100% CPU utilization and a Denial of Service (DoS) condition for the affected system.

NVD

Vulnerability Analysis

CVE-2026-4645 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Timeline

Reported to Red Hat.

Made public.

Weakness Type

What is an Infinite Loop Vulnerability?

The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory.

CVE-2026-4645 has been classified to as an Infinite Loop vulnerability or weakness.


Products Associated with CVE-2026-4645

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Openshift Compliance Operator
 
Red Hat Openshift File Integrity Operator
 
Red Hat Migration Toolkit Applications
 
Red Hat Acm
 
Red Hat Enterprise Linux (RHEL)
 
Red Hat Openshift
 
Red Hat Openshift Distributed Tracing
 

Affected Versions

Red Hat Compliance Operator: Red Hat Compliance Operator: Red Hat File Integrity Operator: Red Hat File Integrity Operator: Red Hat File Integrity Operator: Red Hat File Integrity Operator: Red Hat Migration Toolkit for Applications 8: Red Hat Migration Toolkit for Applications 8: Red Hat Migration Toolkit for Applications 8: Red Hat Migration Toolkit for Applications 8: Red Hat Migration Toolkit for Applications 8: Red Hat Migration Toolkit for Applications 8: Red Hat Advanced Cluster Management for Kubernetes 2: Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 9: Red Hat OpenShift Container Platform 4: Red Hat OpenShift Container Platform 4: Red Hat OpenShift Container Platform 4: Red Hat OpenShift distributed tracing 3: Red Hat OpenShift distributed tracing 3: Red Hat OpenShift distributed tracing 3: Red Hat OpenShift distributed tracing 3: