{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4645", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "REJECTED", "assignerShortName": "redhat", "dateReserved": "2026-03-23T12:21:39.096Z", "datePublished": "2026-03-23T13:35:22.985Z", "dateUpdated": "2026-03-30T08:01:39.710Z", "dateRejected": "2026-03-30T08:01:39.710Z"}, "containers": {"cna": {"rejectedReasons": [{"lang": "en", "value": "Duplicate of CVE-2026-32287"}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-03-30T08:01:39.710Z"}}}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4645", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "REJECTED", "assignerShortName": "redhat", "dateReserved": "2026-03-23T12:21:39.096Z", "datePublished": "2026-03-23T13:35:22.985Z", "dateUpdated": "2026-03-30T08:01:39.710Z", "dateRejected": "2026-03-30T08:01:39.710Z"}, "containers": {"cna": {"rejectedReasons": [{"lang": "en", "value": "Duplicate of CVE-2026-32287"}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-03-30T08:01:39.710Z"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rejected reason: Duplicate of CVE-2026-32287"}], "id": "CVE-2026-4645", "lastModified": "2026-03-30T08:16:18.693", "metrics": {}, "published": "2026-03-23T14:16:36.063", "references": [], "sourceIdentifier": "[email protected]", "vulnStatus": "Rejected"}

{"bugzilla": {"description": "github.com/antchfx/xpath: xpath: Denial of Service via crafted Boolean XPath expressions", "id": "2450214", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450214"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-835", "details": ["A flaw was found in the `github.com/antchfx/xpath` component. A remote attacker could exploit this vulnerability by submitting crafted Boolean XPath expressions that evaluate to true. This can cause an infinite loop in the `logicalQuery.Select` function, leading to 100% CPU utilization and a Denial of Service (DoS) condition for the affected system."], "name": "CVE-2026-4645", "package_state": [{"cpe": "cpe:/a:redhat:openshift_compliance_operator:1", "fix_state": "Affected", "package_name": "compliance/openshift-compliance-operator-bundle", "product_name": "Compliance Operator"}, {"cpe": "cpe:/a:redhat:openshift_compliance_operator:1", "fix_state": "Affected", "package_name": "compliance/openshift-compliance-rhel8-operator", "product_name": "Compliance Operator"}, {"cpe": "cpe:/a:redhat:openshift_file_integrity_operator:1", "fix_state": "Affected", "package_name": "compliance/openshift-compliance-must-gather-rhel8", "product_name": "File Integrity Operator"}, {"cpe": "cpe:/a:redhat:openshift_file_integrity_operator:1", "fix_state": "Affected", "package_name": "compliance/openshift-compliance-openscap-rhel8", "product_name": "File Integrity Operator"}, {"cpe": "cpe:/a:redhat:openshift_file_integrity_operator:1", "fix_state": "Affected", "package_name": "compliance/openshift-compliance-operator-bundle", "product_name": "File Integrity Operator"}, {"cpe": "cpe:/a:redhat:openshift_file_integrity_operator:1", "fix_state": "Affected", "package_name": "compliance/openshift-compliance-rhel8-operator", "product_name": "File Integrity Operator"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Affected", "package_name": "mta/mta-cli-rhel9", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Affected", "package_name": "mta/mta-dotnet-external-provider-rhel8", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Affected", "package_name": "mta/mta-dotnet-external-provider-rhel9", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Affected", "package_name": "mta/mta-generic-external-provider-rhel9", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Affected", "package_name": "mta/mta-java-external-provider-rhel9", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Affected", "package_name": "mta/mta-solution-server-rhel9", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/acm-grafana-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "opentelemetry-collector", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "opentelemetry-collector", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "compliance/openshift-compliance-must-gather-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "compliance/openshift-compliance-openscap-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "compliance/openshift-compliance-rhel8-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/opentelemetry-collector-rhel9", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/tempo-jaeger-query-rhel9", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/tempo-query-rhel9", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/tempo-rhel9", "product_name": "Red Hat OpenShift distributed tracing 3"}], "public_date": "2026-03-17T20:58:59Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4645\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4645\nhttps://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494\nhttps://github.com/antchfx/xpath/issues/121\nhttps://github.com/golang/vulndb/issues/4526"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 90.0, "confidence_source": "matching", "scores": [{"score": 90.0, "source": "matching"}]}, "original": {"product": "Red Hat Advanced Cluster Management for Kubernetes 2", "source": "cna", "vendor": "Red Hat"}, "product": "advanced_cluster_management_for_kubernetes", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Red Hat Enterprise Linux 10", "source": "cna", "vendor": "Red Hat"}, "product": "enterprise_linux", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 96.0, "confidence_source": "matching", "scores": [{"score": 96.0, "source": "matching"}]}, "original": {"product": "Migration Toolkit for Applications 8", "source": "cna", "vendor": "Red Hat"}, "product": "migration_toolkit_for_applications", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "Compliance Operator", "source": "cna", "vendor": "Red Hat"}, "product": "openshift_compliance_operator", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "Red Hat OpenShift Container Platform 4", "source": "cna", "vendor": "Red Hat"}, "product": "openshift_container_platform", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 87.0, "confidence_source": "matching", "scores": [{"score": 87.0, "source": "matching"}]}, "original": {"product": "Red Hat OpenShift distributed tracing 3", "source": "cna", "vendor": "Red Hat"}, "product": "openshift_distributed_tracing", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 85.0, "confidence_source": "matching", "scores": [{"score": 85.0, "source": "matching"}]}, "original": {"product": "File Integrity Operator", "source": "cna", "vendor": "Red Hat"}, "product": "openshift_file_integrity_operator", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-03-23T15:25:46.311683+00:00", "value": {"mitigation_remediation": ["Update all Red\u202fHat packages that depend on antchfx/xpath to the latest available release"], "summary": {"action": "Patch Now", "impact": "Denial of Service (resource exhaustion)"}, "threat_synthesis": {"affected_systems": "Any installation of the Red\u202fHat Compliance Operator, File Integrity Operator, Migration Toolkit for Applications 8, Advanced Cluster Management for Kubernetes, Enterprise Linux 9 or 10, OpenShift Container Platform 4, or OpenShift distributed tracing that incorporates the antchfx/xpath library may be vulnerable. No specific version numbers are listed in the reference data, so the risk applies to all current releases of those products that depend on the impacted library.", "description_and_impact": "The vulnerability lies in the GitHub package antchfx/xpath, which is used by several Red\u202fHat products. A remote attacker can submit specially crafted Boolean XPath expressions that evaluate to true, causing the logicalQuery.Select function to enter an infinite loop. This loop drives CPU usage to 100\u202f% and results in a denial of service for the affected system.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, though the EPSS score is not available and the vulnerability is not yet listed in the CISA KEV catalog. The attack vector is inferred to be remote, via submission of crafted Boolean expressions to any service that processes XPath queries. If exploited, the effect is a system\u2011wide denial of service due to CPU exhaustion, potentially affecting availability of critical services."}}}}, "created": "2026-03-24T10:34:00.892691+00:00", "updated": "2026-03-25T14:49:04.977625+00:00", "vendors": ["redhat", "redhat$PRODUCT$advanced_cluster_management_for_kubernetes", "redhat$PRODUCT$enterprise_linux", "redhat$PRODUCT$migration_toolkit_for_applications", "redhat$PRODUCT$openshift_compliance_operator", "redhat$PRODUCT$openshift_container_platform", "redhat$PRODUCT$openshift_distributed_tracing", "redhat$PRODUCT$openshift_file_integrity_operator"], "weaknesses": ["CWE-835"]}