CVE-2026-42440

Name of the Vulnerable Software and Affected Versions Apache OpenNLP versions prior to 2.5.9 Apache OpenNLP versions prior to 3.0.0-M3

Description An OutOfMemory (OOM) Denial of Service exists in the AbstractModelReader class. The methods getOutcomes(), getOutcomePatterns(), and getPredicates() read a 32-bit signed integer count from a binary model stream and use it for array allocation without validating if the value is non-negative or within reasonable bounds. An attacker can provide a crafted .bin model file with a count field set to a very large value, such as Integer.MAX VALUE, to exhaust the available heap and trigger an OutOfMemoryError during deserialization. This allows a small malicious file to crash the Java Virtual Machine (JVM) of any process loading model files from untrusted or semi-trusted origins.

Recommendations Upgrade to version 2.5.9 for 2.x users. Upgrade to version 3.0.0-M3 for 3.x users. Treat all .bin model files as untrusted input and avoid loading models from end users or third-party repositories without integrity checks. For deployments requiring more than 10,000,000 entries, set the OPENNLP MAX ENTRIES system property to the desired positive integer at JVM startup.