CVE-2026-22740
Temporary File Cleanup Failure in WebFlux Multipart Handling Enables Disk Exhaustion
Publication date: 2026-04-29
Last updated on: 2026-05-04
Assigner: VMware
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vmware | spring_framework | to 5.3.48 (exc) |
| vmware | spring_framework | From 6.1.0 (inc) to 6.1.27 (exc) |
| vmware | spring_framework | From 6.2.0 (inc) to 6.2.18 (exc) |
| vmware | spring_framework | From 7.0.0 (inc) to 7.0.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves temporary files created by a WebFlux server application that may not be deleted after processing multipart requests, potentially leading to disk space exhaustion.
To detect this vulnerability on your system, you can monitor the disk usage and look for an unusual accumulation of temporary files related to multipart requests.
- Use commands like 'du -sh /path/to/temp/dir/*' to check the size of temporary files.
- Use 'lsof +D /path/to/temp/dir' to list open files in the temporary directory.
- Monitor disk space with 'df -h' to detect rapid disk space consumption.
Note that the exact temporary file location depends on your WebFlux server configuration.
Can you explain this vulnerability to me?
CVE-2026-22740 is a Denial of Service (DoS) vulnerability in the Spring Framework's WebFlux module related to the handling of multipart requests.
When a WebFlux server application processes multipart requests, it creates temporary files for parts larger than 10 KB. Under certain conditions, these temporary files may not be deleted after the request has been fully processed.
This behavior allows an attacker to consume available disk space by causing leftover temporary files to accumulate.
How can this vulnerability impact me? :
The vulnerability can lead to exhaustion of disk space on the server running the WebFlux application.
By causing temporary files to remain undeleted, an attacker can consume all available disk space, potentially causing denial of service by preventing the application or server from functioning properly.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the affected Spring Framework versions to the fixed releases.
- Upgrade 7.0.x versions to 7.0.7 or later (Open Source).
- Upgrade 6.2.x versions to 6.2.18 or later (Open Source).
- Upgrade 6.1.x versions to 6.1.27 or later (Commercial).
- Upgrade 5.3.x versions to 5.3.48 or later (Commercial).
No additional mitigation steps are required beyond upgrading.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to consume available disk space by leaving temporary files undeleted after processing multipart requests, potentially leading to denial of service.
While this impacts availability, it does not affect confidentiality or integrity of data.
There is no direct information provided about how this vulnerability affects compliance with standards such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-22740 is a Denial of Service (DoS) vulnerability in the Spring Framework's WebFlux module related to the handling of multipart requests.
When a WebFlux server application processes multipart requests, it creates temporary files for parts larger than 10 KB. Under certain conditions, these temporary files may not be deleted after the request has been fully processed.
This behavior allows an attacker to cause disk space exhaustion by making the server accumulate undeleted temporary files.
How can this vulnerability impact me? :
This vulnerability can lead to a Denial of Service (DoS) condition by exhausting the available disk space on the server.
As temporary files are not deleted properly, an attacker can consume disk resources, potentially causing the server to become unresponsive or fail to process further requests.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the affected Spring Framework WebFlux module to a fixed version.
- Upgrade 7.0.x versions to 7.0.7 or later (Open Source).
- Upgrade 6.2.x versions to 6.2.18 or later (Open Source).
- Upgrade 6.1.x versions to 6.1.27 or later (Commercial).
- Upgrade 5.3.x versions to 5.3.48 or later (Commercial).
No additional mitigation steps are required beyond upgrading.