{ "threat_severity" : "Moderate", "public_date" : "2026-02-26T01:22:11Z", "bugzilla" : { "description" : "fast-xml-parser: fast-xml-parser: Stack overflow leads to Denial of Service", "id" : "2442938", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2442938" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-776", "details" : [ "fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOrder:true`. Version 5.3.8 fixes the issue. As a workaround, use XML builder with `preserveOrder:false` or check the input data before passing to builder.", "A flaw was found in fast-xml-parser. A user can exploit this flaw by processing specially crafted XML data with the XML builder when the `preserveOrder` option is enabled. This can lead to a stack overflow, causing the application to crash and resulting in a Denial of Service (DoS)." ], "statement" : "The flaw affects the XML builder component of the fast-xml-parser library and is triggered only when the preserveOrder option is explicitly enabled. In Red Hat–shipped configurations, this option is not enabled by default, and the vulnerable code path is therefore not exercised under typical deployments.\nThe underlying issue results in uncontrolled recursion leading to a stack overflow condition, which causes the application to terminate unexpectedly. While this can be triggered via crafted input, the impact is limited strictly to denial of service (DoS) and does not provide a mechanism for arbitrary code execution, privilege escalation, or data disclosure.\nFurthermore, exploitation requires that the affected application processes attacker-controlled XML input through the XML builder functionality with the specific vulnerable configuration enabled. This significantly reduces the attack surface and introduces environmental constraints not considered in the generalized NVD scoring.\nGiven the absence of confidentiality and integrity impact, the requirement for non-default configuration, and the limitation of the impact to process termination, Red Hat considers the practical risk to be lower than the NVD assessment. As such, this issue is classified as Moderate severity.", "affected_release" : [ { "product_name" : "Red Hat Advanced Cluster Security for Kubernetes 4.8", "release_date" : "2026-04-08T00:00:00Z", "advisory" : "RHSA-2026:7110", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.8::el8", "package" : "advanced-cluster-security/rhacs-main-rhel8:1775594119" }, { "product_name" : "Red Hat Advanced Cluster Security for Kubernetes 4.9", "release_date" : "2026-04-08T00:00:00Z", "advisory" : "RHSA-2026:7128", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.9::el8", "package" : "advanced-cluster-security/rhacs-main-rhel8:1775594284" }, { "product_name" : "Red Hat Developer Hub 1.8", "release_date" : "2026-03-30T00:00:00Z", "advisory" : "RHSA-2026:6174", "cpe" : "cpe:/a:redhat:rhdh:1.8::el9", "package" : "rhdh/rhdh-hub-rhel9:1774545605" }, { "product_name" : "Red Hat Developer Hub 1.9", "release_date" : "2026-04-07T00:00:00Z", "advisory" : "RHSA-2026:6802", "cpe" : "cpe:/a:redhat:rhdh:1.9::el9", "package" : "rhdh/rhdh-hub-rhel9:1775140647" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12277", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/cephcsi-rhel9:1775822432" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12277", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/cephcsi-rhel9-operator:1776403457" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12277", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/mcg-core-rhel9:1776403991" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12277", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/mcg-rhel9-operator:1776404009" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12277", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/ocs-client-console-rhel9:1776404539" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12277", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/ocs-client-rhel9-operator:1776404060" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12277", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/ocs-metrics-exporter-rhel9:1775822689" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12277", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/ocs-rhel9-operator:1776404131" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12277", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-cli-rhel9:1776406225" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12277", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-cloudnative-pg-rhel9-operator:1776406131" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12277", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-console-rhel9:1776406770" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12277", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-cosi-sidecar-rhel9:1776406247" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12277", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-csi-addons-rhel9-operator:1776406286" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12277", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-csi-addons-sidecar-rhel9:1776406291" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12277", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-external-snapshotter-rhel9-operator:1776406284" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12277", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-external-snapshotter-sidecar-rhel9:1776406291" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12277", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-multicluster-console-rhel9:1776406771" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12277", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-multicluster-rhel9-operator:1776406384" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12277", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-must-gather-rhel9:1776406540" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12277", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-rhel9-operator:1776406595" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12277", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odr-rhel9-operator:1776406594" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12277", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/rook-ceph-rhel9-operator:1775823207" } ], "package_state" : [ { "product_name" : "Migration Toolkit for Applications 8", "fix_state" : "Affected", "package_name" : "mta/mta-ui-rhel9", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:8" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Affected", "package_name" : "openshift-gitops-1/argocd-rhel8", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Affected", "package_name" : "openshift-gitops-1/argocd-rhel9", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift Virtualization 4", "fix_state" : "Affected", "package_name" : "container-native-virtualization/kubevirt-console-plugin", "cpe" : "cpe:/a:redhat:container_native_virtualization:4" }, { "product_name" : "Red Hat OpenShift Virtualization 4", "fix_state" : "Affected", "package_name" : "container-native-virtualization/kubevirt-console-plugin-rhel9", "cpe" : "cpe:/a:redhat:container_native_virtualization:4" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Affected", "package_name" : "satellite/iop-host-inventory-frontend-rhel9", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Affected", "package_name" : "satellite/iop-vulnerability-frontend-rhel9", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Self-service automation portal 2", "fix_state" : "Affected", "package_name" : "ansible-automation-platform/automation-portal", "cpe" : "cpe:/a:redhat:ansible_portal:2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-27942\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27942\nhttps://github.com/NaturalIntelligence/fast-xml-parser/commit/c13a961910f14986295dd28484eee830fa1a0e8a\nhttps://github.com/NaturalIntelligence/fast-xml-parser/pull/791\nhttps://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-fj3w-jwp8-x2g3" ], "name" : "CVE-2026-27942", "mitigation" : { "value" : "To mitigate this vulnerability, configure applications using the `fast-xml-parser` XML builder to set the `preserveOrder` option to `false`. Alternatively, ensure that all XML input data is thoroughly validated before being passed to the builder to prevent the processing of malicious or malformed content.", "lang" : "en:us" }, "csaw" : false }