Severity by source
AV:P/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 154 maven packages depend on org.springframework.cloud:spring-cloud-function-context (16 direct, 138 indirect)
Ecosystem-wide dependent count for version 4.3.0.
DescriptionCVE.org
OOM error is possible while attempting to add infinite amount of functions to Function Registry.
Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Function 4.1.x: versions prior to 4.1.10 Spring Cloud Function 4.2.x: versions prior to 4.2.6 Spring Cloud Function 4.3.x: versions prior to 4.3.3 Spring Cloud Function 5.0.x: versions prior to 5.0.2 Older, unsupported versions are also affected.
AnalysisAI
Denial-of-service in Spring Cloud Function allows a low-privileged actor with physical access and required user interaction to exhaust JVM heap memory by registering an unbounded number of functions into the Function Registry, triggering an Out-of-Memory (OOM) crash. Five actively maintained release lines (3.2.x through 5.0.x) plus all unsupported versions are affected. No public exploit code exists and the vulnerability is not listed in CISA KEV at time of analysis; the CVSS score of 5.7 reflects the physical access vector and user interaction dependency that substantially constrain real-world exploitability compared to the High availability impact alone.
Technical ContextAI
Spring Cloud Function (CPE: cpe:2.3:a:spring:spring_cloud_function:*:*:*:*:*:*:*:*) is a Java framework developed under VMware/Broadcom's Spring portfolio that abstracts business logic as portable functions deployable across serverless runtimes, messaging platforms, and web endpoints. The Function Registry is a core internal component responsible for maintaining named function beans available to the runtime. The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling): the registry imposes no cap on the quantity of functions that can be registered, allowing heap-allocated objects to accumulate without bound. In a JVM environment, uncontrolled heap growth results in an OutOfMemoryError, which can terminate the process or render it unresponsive. The CVSS scope value of Changed (S:C) indicates the OOM condition can propagate beyond the vulnerable component to affect the host JVM and any co-hosted services sharing the same process or memory space.
RemediationAI
The primary remediation is upgrading Spring Cloud Function to a patched release: 3.2.16 for the 3.2.x line, 4.1.10 for 4.1.x, 4.2.6 for 4.2.x, 4.3.3 for 4.3.x, or 5.0.2 for 5.0.x, as documented in the Spring Security Advisory at https://spring.io/security/cve-2026-40990. Users on older, unsupported versions should migrate to a supported and patched release; HeroDevs may offer commercial extended support guidance at https://www.herodevs.com/vulnerability-directory/cve-2026-40990. Where immediate patching is not feasible, restrict access to any interface that permits dynamic function registration to only explicitly authorized and trusted principals, reducing the likelihood a low-privileged user can trigger unbounded registration. Configuring explicit JVM heap limits (e.g., -Xmx) and deploying the application in a containerized environment with memory cgroup limits can bound the blast radius of an OOM event and prevent host-level impact, though this trades available performance headroom and may introduce premature GC pressure under normal load. Monitoring for anomalous spikes in registered function counts or heap utilization can serve as a detection control.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33734
GHSA-x4h3-g2x4-8gqv