CVE-2026-42440: OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader Versions Affected: before
Summary
Apache OpenNLP has a vulnerability where three methods in AbstractModelReader read count values from binary model files without checking if they're reasonable, allowing an attacker to trigger an OOM error (a crash caused by the program running out of memory) by creating a malicious .bin file with an extremely large count value. This denial of service (making a service unavailable) attack requires minimal file size and crashes the Java virtual machine early during model loading.
Solution / Mitigation
2.x users should upgrade to 2.5.9. 3.x users should upgrade to 3.0.0-M3. The fix adds an upper bound check (default 10,000,000) on the three count fields before array allocation; values that are negative or exceed the bound throw an IllegalArgumentException and fail safely. Users who cannot upgrade immediately should treat all .bin model files as untrusted input unless their origin is verified, and avoid loading models from end users or third-party repositories without integrity checks. Deployments needing higher limits can set the OPENNLP_MAX_ENTRIES system property at JVM startup (e.g., -DOPENNLP_MAX_ENTRIES=50000000).
Vulnerability Details
EPSS: 0.0%
May 4, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-42440
First tracked: May 4, 2026 at 02:07 PM
Classified by LLM (prompt v3) · confidence: 85%