Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (vmware).
CVSS VectorVendor: vmware
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition.
Affected versions: Micrometer 1.16.0 through 1.16.5; 1.15.0 through 1.15.11.
AnalysisAI
Denial-of-service in Micrometer (Spring observability library) versions 1.15.0-1.15.11 and 1.16.0-1.16.5 allows remote unauthenticated attackers to exhaust resources via specially crafted gRPC requests. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflecting availability-only impact, the issue is reachable over the network without credentials, though no public exploit identified at time of analysis. Applications embedding Micrometer's gRPC instrumentation are most exposed.
Technical ContextAI
Micrometer is a vendor-neutral application metrics facade widely used in Spring Boot and other JVM applications to instrument observability data, exporting to backends like Prometheus, Datadog, and others. The vulnerability sits in CWE-400 (Uncontrolled Resource Consumption) territory, meaning the gRPC instrumentation path likely fails to bound CPU, memory, threads, or some other finite resource when processing maliciously shaped request metadata, headers, or payload structures. Because Micrometer's gRPC support is commonly wired in via interceptors that observe every inbound/outbound call, any request that touches the instrumentation layer can trigger the costly code path before the application's own logic runs. CPE data confirms Spring-published Micrometer (cpe:2.3:a:spring:micrometer:*) as the affected product line.
RemediationAI
Patch available per vendor advisory at https://spring.io/security/cve-2026-40983; upgrade to a fixed release in the 1.15.x or 1.16.x line above the affected ranges (1.15.12+ or 1.16.6+ based on the affected-version cutoffs, though exact patched versions should be confirmed against the Spring advisory before scheduling rollouts). If patching cannot be done immediately, compensating controls include placing gRPC ingress behind an authenticated proxy or service mesh (Envoy, Istio) with request-rate and concurrency limits to bound per-client resource use, disabling Micrometer's gRPC interceptors on externally exposed services if the metrics are non-critical (trade-off: loss of observability on those endpoints), and adding container-level CPU/memory limits with aggressive liveness probes so a single instance crash recovers fast rather than dragging down the cluster. Audit Maven/Gradle dependency trees for transitively pulled vulnerable Micrometer versions, since the library is rarely declared as a direct dependency.
More in Micrometer
View allSame weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35318
GHSA-w737-wx49-qj23