Executive Summary

CVE-2026-22740 is a Denial of Service (DoS) vulnerability in the Spring Framework's WebFlux module related to the handling of multipart requests.

When a WebFlux server application processes multipart requests, it creates temporary files for parts larger than 10 KB. Under certain conditions, these temporary files may not be deleted after the request has been fully processed.

This behavior allows an attacker to consume available disk space by causing leftover temporary files to accumulate.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to exhaustion of disk space on the server running the WebFlux application.

By causing temporary files to remain undeleted, an attacker can consume all available disk space, potentially causing denial of service by preventing the application or server from functioning properly.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the affected Spring Framework versions to the fixed releases.

• Upgrade 7.0.x versions to 7.0.7 or later (Open Source).
• Upgrade 6.2.x versions to 6.2.18 or later (Open Source).
• Upgrade 6.1.x versions to 6.1.27 or later (Commercial).
• Upgrade 5.3.x versions to 5.3.48 or later (Commercial).

No additional mitigation steps are required beyond upgrading.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to consume available disk space by leaving temporary files undeleted after processing multipart requests, potentially leading to denial of service.

While this impacts availability, it does not affect confidentiality or integrity of data.

There is no direct information provided about how this vulnerability affects compliance with standards such as GDPR or HIPAA.

Useful 0 Not Useful 0

Detection Guidance

The vulnerability involves temporary files created by a WebFlux server application that may not be deleted after processing multipart requests, potentially leading to disk space exhaustion.

To detect this vulnerability on your system, you can monitor the disk usage and look for an unusual accumulation of temporary files related to multipart requests.

• Use commands like 'du -sh /path/to/temp/dir/*' to check the size of temporary files.
• Use 'lsof +D /path/to/temp/dir' to list open files in the temporary directory.
• Monitor disk space with 'df -h' to detect rapid disk space consumption.

Note that the exact temporary file location depends on your WebFlux server configuration.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-22740 is a Denial of Service (DoS) vulnerability in the Spring Framework's WebFlux module related to the handling of multipart requests.

When a WebFlux server application processes multipart requests, it creates temporary files for parts larger than 10 KB. Under certain conditions, these temporary files may not be deleted after the request has been fully processed.

This behavior allows an attacker to cause disk space exhaustion by making the server accumulate undeleted temporary files.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a Denial of Service (DoS) condition by exhausting the available disk space on the server.

As temporary files are not deleted properly, an attacker can consume disk resources, potentially causing the server to become unresponsive or fail to process further requests.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the affected Spring Framework WebFlux module to a fixed version.

• Upgrade 7.0.x versions to 7.0.7 or later (Open Source).
• Upgrade 6.2.x versions to 6.2.18 or later (Open Source).
• Upgrade 6.1.x versions to 6.1.27 or later (Commercial).
• Upgrade 5.3.x versions to 5.3.48 or later (Commercial).

No additional mitigation steps are required beyond upgrading.

Useful 0 Not Useful 0