SB2026042162 - Multiple vulnerabilities in Pivotal Spring Framework
Published: April 21, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Improper Resource Shutdown or Release (CVE-ID: CVE-2026-22740)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper resource management in multipart request handling in WebFlux when processing multipart requests. A remote user can send a series of multipart requests to consume available disk space.
Temp files created for parts larger than 10 K may remain undeleted after request processing under some circumstances.
2) Acceptance of Extraneous Untrusted Data With Trusted Data (CVE-ID: CVE-2026-22741)
CWE-ID: CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper cache control in static resource resolution when handling malicious requests for encoded resources. A remote attacker can send malicious requests to cause a denial of service.
Exploitation requires resource chain support with caching enabled, encoded resource resolution enabled, and an empty resource cache.
3) Resource exhaustion (CVE-ID: CVE-2026-22745)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in static resource handling when resolving static resources from the file system on Windows platforms. A remote attacker can send malicious requests that are slow to resolve to cause a denial of service.
The issue affects applications using Spring MVC or Spring WebFlux that serve static resources from the file system on Windows platforms.
Remediation
Install update from vendor's website.
References
- https://spring.io/security/cve-2026-22740
- https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H&version=3.1
- https://spring.io/security/cve-2026-22741
- https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N:A:L&version=3.1
- https://spring.io/security/cve-2026-22745
- https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1