CVE-2026-40980
Received Received - Intake
Memory Exhaustion Vulnerability in Spring AI ForkPDFLayoutTextStripper

Publication date: 2026-04-28

Last updated on: 2026-04-29

Assigner: VMware

Description
In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-29
Generated
2026-05-06
AI Q&A
2026-04-28
EPSS Evaluated
2026-05-05
NVD
CVE-2026-40980
EUVD
EUVD-2026-26013
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vmware spring_ai From 1.0.0 (inc) to 1.0.6 (exc)
vmware spring_ai From 1.1.0 (inc) to 1.1.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability in Spring AI causes excessive memory allocation leading to denial of service but does not impact confidentiality or integrity of data.

Since it does not affect data confidentiality or integrity, it is unlikely to directly violate compliance requirements related to data protection standards such as GDPR or HIPAA.

However, the denial of service caused by resource exhaustion could indirectly affect availability requirements under these regulations.


Can you explain this vulnerability to me?

CVE-2026-40980 is a moderate severity vulnerability in Spring AI versions 1.0.0 through 1.0.5 and 1.1.0 through 1.1.4. It occurs when a maliciously crafted PDF file is processed by the ForkPDFLayoutTextStripper component, causing excessive memory allocation.

This excessive memory allocation can lead to an Out-Of-Memory (OOM) condition, effectively causing a denial of service.

The vulnerability affects only applications that use ForkPDFLayoutTextStripper and pass user-supplied input to DocumentReader instances.


How can this vulnerability impact me? :

This vulnerability can impact you by causing a denial of service through resource exhaustion.

When a malicious PDF is processed, it triggers unreasonable memory allocation, which can cause the application to run out of memory and potentially crash or become unresponsive.

It does not affect confidentiality or integrity, but availability is impacted.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability occurs when a maliciously crafted PDF file is processed by the ForkPDFLayoutTextStripper component, causing excessive memory allocation and an Out-Of-Memory (OOM) condition.

Detection would involve monitoring for unusual memory usage or OOM errors in applications using ForkPDFLayoutTextStripper when handling PDF files.

No specific commands or detection tools are provided in the available information.


What immediate steps should I take to mitigate this vulnerability?

The primary mitigation step is to upgrade Spring AI to the fixed versions: 1.0.6 for the 1.0.x branch or 1.1.5 for the 1.1.x branch.

No additional mitigation steps are required.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart