Skip to main content

Micrometer CVE-2026-40983

| EUVDEUVD-2026-35318 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-09 vmware GHSA-w737-wx49-qj23
7.5
CVSS 3.1 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jun 09, 2026 - 06:01 EUVD
Analysis Generated
Jun 09, 2026 - 05:11 vuln.today

DescriptionCVE.org

In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition.

Affected versions: Micrometer 1.16.0 through 1.16.5; 1.15.0 through 1.15.11.

AnalysisAI

Denial-of-service in Micrometer (Spring observability library) versions 1.15.0-1.15.11 and 1.16.0-1.16.5 allows remote unauthenticated attackers to exhaust resources via specially crafted gRPC requests. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflecting availability-only impact, the issue is reachable over the network without credentials, though no public exploit identified at time of analysis. Applications embedding Micrometer's gRPC instrumentation are most exposed.

Technical ContextAI

Micrometer is a vendor-neutral application metrics facade widely used in Spring Boot and other JVM applications to instrument observability data, exporting to backends like Prometheus, Datadog, and others. The vulnerability sits in CWE-400 (Uncontrolled Resource Consumption) territory, meaning the gRPC instrumentation path likely fails to bound CPU, memory, threads, or some other finite resource when processing maliciously shaped request metadata, headers, or payload structures. Because Micrometer's gRPC support is commonly wired in via interceptors that observe every inbound/outbound call, any request that touches the instrumentation layer can trigger the costly code path before the application's own logic runs. CPE data confirms Spring-published Micrometer (cpe:2.3:a:spring:micrometer:*) as the affected product line.

RemediationAI

Patch available per vendor advisory at https://spring.io/security/cve-2026-40983; upgrade to a fixed release in the 1.15.x or 1.16.x line above the affected ranges (1.15.12+ or 1.16.6+ based on the affected-version cutoffs, though exact patched versions should be confirmed against the Spring advisory before scheduling rollouts). If patching cannot be done immediately, compensating controls include placing gRPC ingress behind an authenticated proxy or service mesh (Envoy, Istio) with request-rate and concurrency limits to bound per-client resource use, disabling Micrometer's gRPC interceptors on externally exposed services if the metrics are non-critical (trade-off: loss of observability on those endpoints), and adding container-level CPU/memory limits with aggressive liveness probes so a single instance crash recovers fast rather than dragging down the cluster. Audit Maven/Gradle dependency trees for transitively pulled vulnerable Micrometer versions, since the library is rarely declared as a direct dependency.

Vendor StatusVendor

Share

CVE-2026-40983 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy