Linux Distros Unpatched Vulnerability : CVE-2026-42440

🗓️ 05 May 2026 00:00:00Reported by TenableType

Linux vulnerability enables denial of service via unbounded array allocation from untrusted models.

Reporter	Title	Published	Views	Family All 25
ATTACKERKB	CVE-2026-42440	4 May 202616:40	–	attackerkb
Chainguard	CVE-2026-42440 vulnerabilities	9 May 202613:17	–	cgr
Circl	CVE-2026-42440	4 May 202619:01	–	circl
CNNVD	Apache OpenNLP 安全漏洞	4 May 202600:00	–	cnnvd
CVE	CVE-2026-42440	4 May 202616:40	–	cve
Cvelist	CVE-2026-42440 Apache OpenNLP: OOM DoS via Unbounded Array Allocation in AbstractModelReader	4 May 202616:40	–	cvelist
Debian CVE	CVE-2026-42440	4 May 202616:40	–	debiancve
EUVD	EUVD-2026-27031	4 May 202616:40	–	euvd
Github Security Blog	Apache OpenNLP AbstractModelReader has an OOM Denial of Service via Unbounded Array Allocation	4 May 202618:30	–	github
NVD	CVE-2026-42440	4 May 202617:16	–	nvd

Source	Link
security-tracker	www.security-tracker.debian.org/tracker/CVE-2026-42440
ubuntu	www.ubuntu.com/security/CVE-2026-42440
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(312196);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/22");

  script_cve_id("CVE-2026-42440");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2026-42440");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader Versions
    Affected: before 2.5.9 before 3.0.0-M3 Description: The AbstractModelReader methods getOutcomes(),
    getOutcomePatterns(), and getPredicates() each read a 32-bit signed integer count field from a binary
    model stream and pass that value directly to an array allocation (new String[numOutcomes], new
    int[numOCTypes][], new String[NUM_PREDS]) without validating that the value is non-negative or within a
    reasonable bound. The count is therefore fully attacker-controlled when the model file originates from an
    untrusted source. A crafted .bin model file in which any of these count fields is set to Integer.MAX_VALUE
    (or any value large enough to exhaust the available heap) triggers an OutOfMemoryError at the array
    allocation itself, before the corresponding label or pattern data is consumed from the stream. The error
    occurs very early in deserialization: for a GIS model, getOutcomes() is reached after only the model-type
    string, the correction constant, and the correction parameter have been read; so the attacker pays no
    meaningful size cost to weaponize a payload, and a single small file can crash a JVM that loads it. Any
    code path that deserializes a .bin model is affected, including direct use of GenericModelReader and any
    higher-level component that delegates to it during model load. The practical impact is denial of service
    against processes that load model files from untrusted or semi-trusted origins. Mitigation: * 2.x users
    should upgrade to 2.5.9. * 3.x users should upgrade to 3.0.0-M3. Note: The fix introduces an upper bound
    on each of the three count fields, checked before array allocation; counts that are negative or exceed the
    bound cause an IllegalArgumentException to be thrown and the read to fail fast with no large allocation.
    The default bound is 10,000,000, which is well above the entry counts of legitimate OpenNLP models but far
    below any value that would threaten heap exhaustion. Deployments that legitimately need to load models
    with more entries than the default can raise the limit at JVM startup by setting the OPENNLP_MAX_ENTRIES
    system property to the desired positive integer (e.g. -DOPENNLP_MAX_ENTRIES=50000000); invalid or non-
    positive values fall back to the default. Users who cannot upgrade immediately should treat all .bin model
    files as untrusted input unless their provenance is verified, and should avoid loading models supplied by
    end users or fetched from third-party repositories without integrity checks. (CVE-2026-42440)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2026-42440");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2026-42440");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:U/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-42440");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/05/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/05/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:24.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.10");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:12.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:13.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:apache-opennlp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:apache-opennlp");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Debian Linux-11", "Host/OS/Debian Linux-12", "Host/OS/Debian Linux-13", "Host/OS/Ubuntu Linux-20.04", "Host/OS/Ubuntu Linux-22.04", "Host/OS/Ubuntu Linux-24.04", "Host/OS/Ubuntu Linux-25.10");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Debian Linux-11": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "11",
        "pkgs": [
          {"reference": "libapache-opennlp-java"},
          {"reference": "opennlp"}
        ]
      }
    ]
  },
  "Debian Linux-12": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "12",
        "pkgs": [
          {"reference": "libapache-opennlp-java"},
          {"reference": "opennlp"}
        ]
      }
    ]
  },
  "Debian Linux-13": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "13",
        "pkgs": [
          {"reference": "libapache-opennlp-java"},
          {"reference": "opennlp"}
        ]
      }
    ]
  },
  "Ubuntu Linux-20.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "20.04",
        "pkgs": [
          {"reference": "apache-opennlp"}
        ]
      }
    ]
  },
  "Ubuntu Linux-22.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "22.04",
        "pkgs": [
          {"reference": "apache-opennlp"}
        ]
      }
    ]
  },
  "Ubuntu Linux-24.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "24.04",
        "pkgs": [
          {"reference": "apache-opennlp"}
        ]
      }
    ]
  },
  "Ubuntu Linux-25.10": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "25.10",
        "pkgs": [
          {"reference": "apache-opennlp"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

22 May 2026 00:00Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.17.5

EPSS0.00189

SSVC