CVE-2026-40990
Description
Spring Cloud Function allows denial of service via an unbounded cache for function definitions, leading to Out-Of-Memory errors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Spring Cloud Function allows denial of service via an unbounded cache for function definitions, leading to Out-Of-Memory errors.
Vulnerability
An Out-Of-Memory (OOM) error is possible in Spring Cloud Function when attempting to add an infinite amount of functions to the Function Registry. This vulnerability affects Spring Cloud Function versions prior to 3.2.16, 4.1.10, 4.2.6, 4.3.3, and 5.0.2 [1].
Exploitation
An attacker can trigger this vulnerability by sending requests that add an unbounded number of functions to the Function Registry. No specific authentication or network position is mentioned as required for exploitation in the available references.
Impact
Successful exploitation of this vulnerability can lead to a denial-of-service (DoS) condition due to an Out-Of-Memory error, crashing the application and making it unavailable to legitimate users [1].
Mitigation
Spring Cloud Function versions 3.2.16, 4.1.10, 4.2.6, 4.3.3, and 5.0.2 and later contain a fix for this vulnerability [1]. Users are advised to upgrade to these fixed versions. Older, unsupported versions are also affected and should be upgraded if possible.
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <3.2.16, <4.1.10, <4.2.6, <4.3.3, <5.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.