Resource exhaustion in Spring Cloud Function - CVE-2026-40990

 

Resource exhaustion in Spring Cloud Function - CVE-2026-40990

Published: May 11, 2026


Vulnerability identifier: #VU130981
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-40990
CWE-ID: CWE-400
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: VMware, Inc
Affected software:
Spring Cloud Function

Detailed vulnerability description

The vulnerability allows an attacker with physical access to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in the function registry when adding function definitions. An attacker with physical access can add an infinite number of functions to cause a denial of service.

User interaction is required.


How to mitigate CVE-2026-40990

Install security update from vendor's website.

Sources