Unbounded cache for function definitions_CVE-2026-40990

5.7 / 10

MEDIUM

CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:H

Description

OOM error is possible while attempting to add infinite amount of functions to Function Registry.

Affected Spring Products and Versions:
Spring Cloud Function 3.2.x: versions prior to 3.2.16
Spring Cloud Function 4.1.x: versions prior to 4.1.10
Spring Cloud Function 4.2.x: versions prior to 4.2.6
Spring Cloud Function 4.3.x: versions prior to 4.3.3
Spring Cloud Function 5.0.x: versions prior to 5.0.2
Older, unsupported versions are also affected.

Basic Information

ID CVE-2026-40990

Source vmware

Published Jun 1, 2026 at 17:49

Affected Product

Vendor Spring

Product Spring Cloud Function

Version 3.2.0

Affected Versions Spring Spring Cloud Function 3.2.0
Spring Spring Cloud Function 4.1.0
Spring Spring Cloud Function 4.2.0
Spring Spring Cloud Function 4.3.0
Spring Spring Cloud Function 5.0.0

CWE Classification

CWE-770

References

spring.io /security/cve-2026-40990

{
    "lastseen": "",
    "description": "OOM error is possible while attempting to add infinite amount of functions to Function Registry.\n\nAffected Spring Products and Versions:\nSpring Cloud Function 3.2.x: versions prior to 3.2.16\nSpring Cloud Function 4.1.x: versions prior to 4.1.10\nSpring Cloud Function 4.2.x: versions prior to 4.2.6\nSpring Cloud Function 4.3.x: versions prior to 4.3.3\nSpring Cloud Function 5.0.x: versions prior to 5.0.2\nOlder, unsupported versions are also affected.",
    "published": "2026-06-01T17:49:16.377Z",
    "modified": "2026-06-01T17:49:16.377Z",
    "type": "cve",
    "title": "Unbounded cache for function definitions",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-40990",
    "id": "CVE-2026-40990",
    "bulletinFamily": "",
    "cwe": [
        "CWE-770"
    ],
    "cvelist": null,
    "sourceData": "Spring Spring Cloud Function 3.2.0\nSpring Spring Cloud Function 4.1.0\nSpring Spring Cloud Function 4.2.0\nSpring Spring Cloud Function 4.3.0\nSpring Spring Cloud Function 5.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.7,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring Cloud Function",
    "version": "3.2.0",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}