CVE-2026-40980
Received Received - Intake
Memory Exhaustion Vulnerability in Spring AI ForkPDFLayoutTextStripper

Publication date: 2026-04-28

Last updated on: 2026-04-29

Assigner: VMware

Description
In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40980
EUVD
EUVD-2026-26013
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vmware spring_ai From 1.0.0 (inc) to 1.0.6 (exc)
vmware spring_ai From 1.1.0 (inc) to 1.1.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability in Spring AI causes excessive memory allocation leading to denial of service but does not impact confidentiality or integrity of data.

Since it does not affect data confidentiality or integrity, it is unlikely to directly violate compliance requirements related to data protection standards such as GDPR or HIPAA.

However, the denial of service caused by resource exhaustion could indirectly affect availability requirements under these regulations.

Executive Summary

CVE-2026-40980 is a moderate severity vulnerability in Spring AI versions 1.0.0 through 1.0.5 and 1.1.0 through 1.1.4. It occurs when a maliciously crafted PDF file is processed by the ForkPDFLayoutTextStripper component, causing excessive memory allocation.

This excessive memory allocation can lead to an Out-Of-Memory (OOM) condition, effectively causing a denial of service.

The vulnerability affects only applications that use ForkPDFLayoutTextStripper and pass user-supplied input to DocumentReader instances.

Impact Analysis

This vulnerability can impact you by causing a denial of service through resource exhaustion.

When a malicious PDF is processed, it triggers unreasonable memory allocation, which can cause the application to run out of memory and potentially crash or become unresponsive.

It does not affect confidentiality or integrity, but availability is impacted.

Detection Guidance

This vulnerability occurs when a maliciously crafted PDF file is processed by the ForkPDFLayoutTextStripper component, causing excessive memory allocation and an Out-Of-Memory (OOM) condition.

Detection would involve monitoring for unusual memory usage or OOM errors in applications using ForkPDFLayoutTextStripper when handling PDF files.

No specific commands or detection tools are provided in the available information.

Mitigation Strategies

The primary mitigation step is to upgrade Spring AI to the fixed versions: 1.0.6 for the 1.0.x branch or 1.1.5 for the 1.1.x branch.

No additional mitigation steps are required.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40980. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart