Skip to main content

Micrometer EUVDEUVD-2026-35320

| CVE-2026-40984 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-09 vmware GHSA-g3pr-3p32-fp23
7.5
CVSS 3.1 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jun 09, 2026 - 06:01 EUVD
Analysis Generated
Jun 09, 2026 - 05:10 vuln.today

DescriptionCVE.org

In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Affected versions: micrometer-core 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18; 1.9.0 through 1.9.17. micrometer-jetty11 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18. micrometer-jetty12 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18.

AnalysisAI

Denial-of-service in Micrometer (micrometer-core, micrometer-jetty11, and micrometer-jetty12) allows remote unauthenticated attackers to exhaust resources by sending specially crafted HTTP requests against applications that expose Micrometer-instrumented endpoints. The flaw affects a wide swath of supported 1.9.x through 1.16.x release lines and carries a CVSS 7.5 (availability-only) impact. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

Micrometer is the de facto application metrics facade for the JVM, used by Spring Boot and many Jetty-based services to expose observability data (counters, timers, distributions) to backends like Prometheus, Datadog, and others. The micrometer-jetty11/jetty12 modules instrument the Jetty 11 and 12 HTTP server request lifecycle, meaning crafted request attributes (URI path, headers, or routing metadata) are processed during metric tagging. The CWE-400 (Uncontrolled Resource Consumption) classification indicates that some request-derived input is allowed to inflate cardinality, allocate unbounded structures, or otherwise consume CPU/memory disproportionately to the request size, which is a classic pitfall for HTTP metric instrumentation libraries that derive tags from request data.

RemediationAI

Upgrade to a fixed Micrometer release line above the listed affected ranges - i.e., beyond 1.9.17 on the 1.9.x line, beyond 1.13.18, 1.14.15, 1.15.11, and 1.16.5 on their respective maintenance branches - by consulting the Spring advisory at https://spring.io/security/cve-2026-40984 for the exact patched build numbers, since exact fix versions are not enumerated in the supplied data (Patch available per vendor advisory). Because Micrometer is almost always pulled in transitively by Spring Boot or other frameworks, audit your dependency tree (mvn dependency:tree / gradle dependencies) and override the micrometer-core, micrometer-jetty11, and micrometer-jetty12 versions explicitly. As a compensating control until patching, place the affected service behind a reverse proxy or WAF that enforces strict URI length, header size, and request-rate limits, and restrict exposure of any /actuator or metrics endpoints to internal networks only; note this does not stop the DoS if any instrumented HTTP path is publicly reachable, since the vulnerability is triggered during request instrumentation rather than at the metrics endpoint itself.

Vendor StatusVendor

Share

EUVD-2026-35320 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy