CVE-2026-32287
Received Received - Intake
Infinite Loop in Go XPath Causes 100% CPU Usage

Publication date: 2026-03-26

Last updated on: 2026-04-21

Assigner: Go Project

Description
Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32287
EUVD
EUVD-2026-16349
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
antchfx xpath to 1.3.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability can cause a denial of service condition by making the affected application consume 100% CPU resources indefinitely.

This can degrade system performance, cause application crashes, or make services unavailable to legitimate users.

Executive Summary

CVE-2026-32287 is a vulnerability in the Go package github.com/antchfx/xpath, specifically in the logicalQuery.Select function. When Boolean XPath expressions that always evaluate to true, such as "1=1" or "true()", are used as top-level selectors, they can cause an infinite loop.

This infinite loop leads to 100% CPU usage, effectively causing the application to hang or become unresponsive.

Detection Guidance

This vulnerability can be detected by monitoring for processes using 100% CPU caused by the evaluation of Boolean XPath expressions such as "1=1" or "true()" in the affected Go package github.com/antchfx/xpath before version v1.3.6.

Specifically, detection involves identifying if the logicalQuery.Select function is triggered with these expressions, leading to an infinite loop.

While no explicit commands are provided, you can use system monitoring tools to detect high CPU usage by processes running this package, for example:

  • Use top or htop on Linux to identify processes with 100% CPU usage.
  • Use pstack or gdb to attach to the process and inspect stack traces to see if logicalQuery.Select or Expr.Evaluate functions are involved.
  • Use strace or equivalent to monitor system calls if applicable.
Mitigation Strategies

The immediate mitigation step is to upgrade the github.com/antchfx/xpath package to version v1.3.6 or later, where the vulnerability has been fixed.

Avoid using or processing Boolean XPath expressions that evaluate to true at the top-level selectors such as "1=1" or "true()" until the package is updated.

Monitor your systems for unusual CPU usage patterns that may indicate exploitation attempts.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32287. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart