CVE-2026-40990
Analyzed Analyzed - Analysis Complete
Out of Memory Error in Spring Cloud Function

Publication date: 2026-06-01

Last updated on: 2026-06-05

Assigner: VMware

Description
OOM error is possible while attempting to add infinite amount of functions to Function Registry. Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Function 4.1.x: versions prior to 4.1.10 Spring Cloud Function 4.2.x: versions prior to 4.2.6 Spring Cloud Function 4.3.x: versions prior to 4.3.3 Spring Cloud Function 5.0.x: versions prior to 5.0.2 Older, unsupported versions are also affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-05
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-40990
EUVD
EUVD-2026-33734
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
vmware spring_cloud_function From 3.2.0 (inc) to 3.2.16 (exc)
vmware spring_cloud_function From 4.1.0 (inc) to 4.1.10 (exc)
vmware spring_cloud_function From 4.2.0 (inc) to 4.2.6 (exc)
vmware spring_cloud_function From 5.0.0 (inc) to 5.0.2 (exc)
vmware spring_cloud_function From 4.3.0 (inc) to 4.3.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40990 is a security vulnerability in multiple versions of Spring Cloud Function. It involves an unbounded cache for function definitions, which means that an attacker can add an unlimited number of functions to the Function Registry.

This can cause an Out-of-Memory (OOM) error, potentially crashing the application or causing it to become unresponsive.

Impact Analysis

The vulnerability can lead to an Out-of-Memory (OOM) error by allowing an attacker to add an excessive number of functions to the Function Registry.

This can cause the affected application to crash or become unresponsive, resulting in denial of service or disruption of normal operations.

Mitigation Strategies

To mitigate the vulnerability CVE-2026-40990, you should upgrade your Spring Cloud Function to the fixed versions that address the issue.

  • For Spring Cloud Function 3.2.x, upgrade to version 3.2.16 (Enterprise Support Only).
  • For Spring Cloud Function 4.1.x, upgrade to version 4.1.10 (Enterprise Support Only).
  • For Spring Cloud Function 4.2.x, upgrade to version 4.2.6 (Enterprise Support Only).
  • For Spring Cloud Function 4.3.x, upgrade to version 4.3.3 (OSS).
  • For Spring Cloud Function 5.0.x, upgrade to version 5.0.2 (OSS).

Applying these updates will address the unbounded cache issue that can lead to an Out-of-Memory error.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40990. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart