Spring Cloud Function OOM via infinite function registry (pre 5.0.2)
CVE-2026-40990 Published on June 1, 2026
Unbounded cache for function definitions
OOM error is possible while attempting to add infinite amount of functions to Function Registry.
Affected Spring Products and Versions:
Spring Cloud Function 3.2.x: versions prior to 3.2.16
Spring Cloud Function 4.1.x: versions prior to 4.1.10
Spring Cloud Function 4.2.x: versions prior to 4.2.6
Spring Cloud Function 4.3.x: versions prior to 4.3.3
Spring Cloud Function 5.0.x: versions prior to 5.0.2
Older, unsupported versions are also affected.
Vulnerability Analysis
CVE-2026-40990 is exploitable with physical access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and a high impact on availability.
Weakness Type
Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Products Associated with CVE-2026-40990
Want to know whenever a new CVE is published for VMware Spring Framework? stack.watch will email you.
Affected Versions
Spring Cloud Function:- Version 3.2.0 and below 3.2.16 is affected.
- Version 4.1.0 and below 4.1.10 is affected.
- Version 4.2.0 and below 4.2.6 is affected.
- Version 4.3.0 and below 4.3.3 is affected.
- Version 5.0.0 and below 5.0.2 is affected.