CVE-2026-40990
Received Received - Intake
Out of Memory Error in Spring Cloud Function

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: VMware

Description
OOM error is possible while attempting to add infinite amount of functions to Function Registry. Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Function 4.1.x: versions prior to 4.1.10 Spring Cloud Function 4.2.x: versions prior to 4.2.6 Spring Cloud Function 4.3.x: versions prior to 4.3.3 Spring Cloud Function 5.0.x: versions prior to 5.0.2 Older, unsupported versions are also affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-02
AI Q&A
2026-06-01
EPSS Evaluated
N/A
NVD
CVE-2026-40990
EUVD
EUVD-2026-33734
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
vmware spring_cloud_function to 3.2.16 (exc)
vmware spring_cloud_function to 4.1.10 (exc)
vmware spring_cloud_function to 4.2.6 (exc)
vmware spring_cloud_function to 4.3.3 (exc)
vmware spring_cloud_function to 5.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-40990 is a security vulnerability in multiple versions of Spring Cloud Function. It involves an unbounded cache for function definitions, which means that an attacker can add an unlimited number of functions to the Function Registry.

This can cause an Out-of-Memory (OOM) error, potentially crashing the application or causing it to become unresponsive.


How can this vulnerability impact me? :

The vulnerability can lead to an Out-of-Memory (OOM) error by allowing an attacker to add an excessive number of functions to the Function Registry.

This can cause the affected application to crash or become unresponsive, resulting in denial of service or disruption of normal operations.


What immediate steps should I take to mitigate this vulnerability?

To mitigate the vulnerability CVE-2026-40990, you should upgrade your Spring Cloud Function to the fixed versions that address the issue.

  • For Spring Cloud Function 3.2.x, upgrade to version 3.2.16 (Enterprise Support Only).
  • For Spring Cloud Function 4.1.x, upgrade to version 4.1.10 (Enterprise Support Only).
  • For Spring Cloud Function 4.2.x, upgrade to version 4.2.6 (Enterprise Support Only).
  • For Spring Cloud Function 4.3.x, upgrade to version 4.3.3 (OSS).
  • For Spring Cloud Function 5.0.x, upgrade to version 5.0.2 (OSS).

Applying these updates will address the unbounded cache issue that can lead to an Out-of-Memory error.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart