SB2026052514 - Multiple vulnerabilities in IBM Library Support for Spring

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026052514

SB2026052514 - Multiple vulnerabilities in IBM Library Support for Spring

Published: May 25, 2026

Security Bulletin ID SB2026052514
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Improper Resource Shutdown or Release (CVE-ID: CVE-2026-22740)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper resource management in multipart request handling in WebFlux when processing multipart requests. A remote user can send a series of multipart requests to consume available disk space.

Temp files created for parts larger than 10 K may remain undeleted after request processing under some circumstances.


2) Acceptance of Extraneous Untrusted Data With Trusted Data (CVE-ID: CVE-2026-22741)

CWE-ID: CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper cache control in static resource resolution when handling malicious requests for encoded resources. A remote attacker can send malicious requests to cause a denial of service.

Exploitation requires resource chain support with caching enabled, encoded resource resolution enabled, and an empty resource cache.


3) Resource exhaustion (CVE-ID: CVE-2026-22745)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in static resource handling when resolving static resources from the file system on Windows platforms. A remote attacker can send malicious requests that are slow to resolve to cause a denial of service.

The issue affects applications using Spring MVC or Spring WebFlux that serve static resources from the file system on Windows platforms.


Remediation

Install update from vendor's website.

References