CVE-2026-40983

Awaiting Analysis Awaiting Analysis - Queue

Denial-of-Service in Micrometer via gRPC Requests

Publication date: 2026-06-09

Last updated on: 2026-06-23

Assigner: VMware

Description

In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition. Affected versions: Micrometer 1.16.0 through 1.16.5; 1.15.0 through 1.15.11.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-09

Last Modified

2026-06-23

Generated

2026-06-29

AI Q&A

2026-06-09

EPSS Evaluated

2026-06-28

NVD

CVE-2026-40983

EUVD

EUVD-2026-35318

Affected Vendors & Products

Vendor	Product	Version / Range
vmware	micrometer	From 1.15.0 (inc) to 1.16.5 (inc)
vmware	micrometer	From 1.15.0 (inc) to 1.15.11 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-400	The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

Detection Guidance

This vulnerability occurs when specially crafted gRPC requests are sent to an application using a vulnerable version of Micrometer (1.15.0 to 1.16.5) with specific configurations. Detection involves identifying if your system is running a vulnerable Micrometer version and if it uses ObservationRegistry with ObservationGrpcServerInterceptor for gRPC server instrumentation.

To detect the vulnerability on your system, first verify the Micrometer version in use. You can check your application's dependencies or runtime environment for the Micrometer version.

Check Micrometer version in your build files (e.g., Maven's pom.xml or Gradle's build.gradle).
Use commands like `mvn dependency:list | grep micrometer` or `gradle dependencies | grep micrometer` to find the Micrometer version.

To detect potentially malicious gRPC requests on your network, you can monitor gRPC traffic for unusual or malformed requests, but no specific commands or signatures are provided in the available information.

The recommended mitigation is to upgrade Micrometer to fixed versions (1.15.12 or 1.16.6), as no additional detection commands or tools are specified.

Executive Summary

CVE-2026-40983 is a denial-of-service (DoS) vulnerability in Micrometer's gRPC server instrumentation. It occurs when a user sends specially crafted gRPC requests to an application using a vulnerable version of Micrometer (versions 1.15.0 to 1.15.11 and 1.16.0 to 1.16.5). The vulnerability affects applications that use an ObservationRegistry, have a DefaultMeterObservationHandler or a similar custom ObservationHandler for metrics output, and employ ObservationGrpcServerInterceptor for gRPC server instrumentation.

This specially crafted request can cause the application to enter a denial-of-service state, making it unavailable to legitimate users.

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition in applications using vulnerable versions of Micrometer with gRPC server instrumentation. An attacker can send crafted gRPC requests that disrupt the normal operation of the application, potentially making it unavailable to legitimate users.

The impact is primarily availability-related, as indicated by the CVSS score which rates the impact on availability as high, while confidentiality and integrity are not affected.

Mitigation Strategies

To mitigate the CVE-2026-40983 vulnerability, you should upgrade Micrometer to the fixed versions.

Upgrade to version 1.15.12 if you are using the 1.15.x branch.
Upgrade to version 1.16.6 if you are using the 1.16.x branch.

No additional mitigation steps are required beyond upgrading to these fixed versions.

Compliance Impact

The provided information does not specify any direct impact of this denial-of-service (DoS) vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Hi! I’m here to help you understand CVE-2026-40983. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70