Skip to main content

Spring Cloud Function EUVDEUVD-2026-33734

| CVE-2026-40990 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-01 vmware GHSA-x4h3-g2x4-8gqv
5.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.7 MEDIUM
AV:P/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:H
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

2
Patch available
Jun 01, 2026 - 20:02 EUVD
Analysis Generated
Jun 01, 2026 - 19:35 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 154 maven packages depend on org.springframework.cloud:spring-cloud-function-context (16 direct, 138 indirect)

Ecosystem-wide dependent count for version 4.3.0.

DescriptionCVE.org

OOM error is possible while attempting to add infinite amount of functions to Function Registry.

Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Function 4.1.x: versions prior to 4.1.10 Spring Cloud Function 4.2.x: versions prior to 4.2.6 Spring Cloud Function 4.3.x: versions prior to 4.3.3 Spring Cloud Function 5.0.x: versions prior to 5.0.2 Older, unsupported versions are also affected.

AnalysisAI

Denial-of-service in Spring Cloud Function allows a low-privileged actor with physical access and required user interaction to exhaust JVM heap memory by registering an unbounded number of functions into the Function Registry, triggering an Out-of-Memory (OOM) crash. Five actively maintained release lines (3.2.x through 5.0.x) plus all unsupported versions are affected. No public exploit code exists and the vulnerability is not listed in CISA KEV at time of analysis; the CVSS score of 5.7 reflects the physical access vector and user interaction dependency that substantially constrain real-world exploitability compared to the High availability impact alone.

Technical ContextAI

Spring Cloud Function (CPE: cpe:2.3:a:spring:spring_cloud_function:*:*:*:*:*:*:*:*) is a Java framework developed under VMware/Broadcom's Spring portfolio that abstracts business logic as portable functions deployable across serverless runtimes, messaging platforms, and web endpoints. The Function Registry is a core internal component responsible for maintaining named function beans available to the runtime. The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling): the registry imposes no cap on the quantity of functions that can be registered, allowing heap-allocated objects to accumulate without bound. In a JVM environment, uncontrolled heap growth results in an OutOfMemoryError, which can terminate the process or render it unresponsive. The CVSS scope value of Changed (S:C) indicates the OOM condition can propagate beyond the vulnerable component to affect the host JVM and any co-hosted services sharing the same process or memory space.

RemediationAI

The primary remediation is upgrading Spring Cloud Function to a patched release: 3.2.16 for the 3.2.x line, 4.1.10 for 4.1.x, 4.2.6 for 4.2.x, 4.3.3 for 4.3.x, or 5.0.2 for 5.0.x, as documented in the Spring Security Advisory at https://spring.io/security/cve-2026-40990. Users on older, unsupported versions should migrate to a supported and patched release; HeroDevs may offer commercial extended support guidance at https://www.herodevs.com/vulnerability-directory/cve-2026-40990. Where immediate patching is not feasible, restrict access to any interface that permits dynamic function registration to only explicitly authorized and trusted principals, reducing the likelihood a low-privileged user can trigger unbounded registration. Configuring explicit JVM heap limits (e.g., -Xmx) and deploying the application in a containerized environment with memory cgroup limits can bound the blast radius of an OOM event and prevent host-level impact, though this trades available performance headroom and may introduce premature GC pressure under normal load. Monitoring for anomalous spikes in registered function counts or heap utilization can serve as a detection control.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

EUVD-2026-33734 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy