PatchSiren cyber security CVE debrief
CVE-2026-43825 Apache Software Foundation CVE debrief
CVE-2026-43825 is a high-severity vulnerability in Apache OpenNLP's SvmDoccatModel, which allows for remote code execution via untrusted Java deserialization. The vulnerability affects versions before 3.0.0-M4 and is caused by the deserialize() method reading an attacker-controlled stream with java.io.ObjectInputStream and calling readObject() without an ObjectInputFilter installed. The practical impact is remote code execution against processes that load SvmDoccatModel instances from untrusted or semi-trusted origins.
- Vendor
- Apache Software Foundation
- Product
- Apache OpenNLP :: Core :: ML :: LibSVM
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-08
Who should care
Users of Apache OpenNLP, particularly those who use the libsvm module, should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 3.0.0-M4 or later, and treating all serialized SvmDoccatModel streams as untrusted input unless their provenance is verified. Operators of systems that use Apache OpenNLP should review their deployments and ensure that they are not exposed to untrusted input.
Technical summary
The vulnerability is caused by the SvmDoccatModel.deserialize() method reading an attacker-controlled stream with java.io.ObjectInputStream and calling readObject() without an ObjectInputFilter installed. This allows for remote code execution via untrusted Java deserialization. The method is public and static, so any caller can pass an untrusted stream to it directly. The practical impact is remote code execution against processes that load SvmDoccatModel instances from untrusted or semi-trusted origins.
Defensive priority
High
Recommended defensive actions
- Upgrade to Apache OpenNLP version 3.0.0-M4 or later
- Treat all serialized SvmDoccatModel streams as untrusted input unless their provenance is verified
- Avoid invoking SvmDoccatModel.deserialize() on streams supplied by end users or fetched from third-party sources without integrity checks
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The vulnerability was reported by an unknown source and is described in the CVE record. The NVD entry is currently Analyzed. There is no information on whether the vulnerability is being actively exploited. The Apache OpenNLP project has released a fix for this vulnerability in version 3.0.0-M4. Users should verify the provenance of any serialized SvmDoccatModel streams before deserializing them.
Official resources
-
CVE-2026-43825 CVE record
CVE.org
-
CVE-2026-43825 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mailing List, Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T17:16:31.570Z and has not been modified since then. The NVD entry is currently Analyzed.