CVE-2026-40989: Spring Cloud Function Infinite Recursion OOM Vulnerability
Spring Cloud Function versions across multiple release lines contain a flaw in the routing layer that can trigger infinite recursion during request handling. This recursion exhausts available memory, causing an out-of-memory (OOM) error that crashes the application. The vulnerability requires either physical access to the system or authenticated local access to exploit, which limits its immediate risk in cloud-native deployments but remains a concern for containerized environments or systems with weak internal network segmentation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.7 MEDIUM · CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:H
- Weaknesses (CWE)
- CWE-674
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Under infinite recursion in the routing layer, request-handling can cause OOM error. Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Function 4.1.x: versions prior to 4.1.10 Spring Cloud Function 4.2.x: versions prior to 4.2.6 Spring Cloud Function 4.3.x: versions prior to 4.3.3 Spring Cloud Function 5.0.x: versions prior to 5.0.2 Older, unsupported versions are also affected.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-40989 stems from inadequate recursion depth validation in Spring Cloud Function's request routing logic. When a specially crafted request traverses the routing layer, it can trigger unbounded recursive calls without a termination condition, leading to rapid heap exhaustion and denial-of-service via OOM. The flaw is classified under CWE-674 (Uncontrolled Recursion) and affects multiple version families: 3.2.x (before 3.2.16), 4.1.x (before 4.1.10), 4.2.x (before 4.2.6), 4.3.x (before 4.3.3), and 5.0.x (before 5.0.2). Older unsupported versions remain vulnerable. The CVSS 3.1 score of 5.7 (MEDIUM) reflects the access constraints (physical or privileged local) needed to trigger the condition.
Business impact
Exploitation results in service unavailability rather than data breach or unauthorized access. For organizations running Spring Cloud Function in production—particularly serverless or function-as-a-service deployments—an OOM crash can disrupt workflows, trigger incident response, and incur downtime costs. In multi-tenant or shared-infrastructure scenarios, a compromised function instance could affect neighboring workloads. However, the attack surface is limited to adversaries with local or physical system presence, reducing risk for externally-facing cloud deployments with proper network isolation.
Affected systems
Any Spring Cloud Function deployment in versions 3.2.x through 5.0.x (as enumerated) is potentially affected. Unsupported legacy versions prior to 3.2.x are also vulnerable. Organizations should audit their deployment manifests, container image registries, and dependency lock files to identify active instances. Spring Boot applications that embed Spring Cloud Function, microservices using it for routing, and serverless platforms built on these versions require assessment.
Exploitability
The vulnerability requires either physical access to the affected host or authenticated local access, significantly constraining real-world exploit likelihood in cloud-native environments. Public internet-facing applications are protected by this access barrier unless they have been compromised via other means or are running in untrusted multi-tenant settings. The vulnerability is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no evidence of active weaponization in the wild to date. Nevertheless, the path to denial-of-service is straightforward once access conditions are met, making it a concern for insider threats and lateral-movement scenarios.
Remediation
Upgrade immediately to patched versions: 3.2.16 or later for 3.2.x, 4.1.10 or later for 4.1.x, 4.2.6 or later for 4.2.x, 4.3.3 or later for 4.3.x, and 5.0.2 or later for 5.0.x. Unsupported legacy versions should be migrated to a supported release. Verify patches against official VMware Spring Cloud Function security advisories to confirm version eligibility. Organizations unable to patch immediately should prioritize network segmentation and access controls to limit the attack surface to authenticated, trusted actors only.
Patch guidance
Plan patching by version cohort to minimize disruption. For development and staging environments, apply patches immediately to validate compatibility with your application logic. Production deployments should follow a staged rollout: begin with non-critical functions, monitor for regression, then expand to core services. Always test patches in an environment that mirrors production configuration. Refer to VMware's official Spring Cloud Function release notes for each version to confirm dependency updates or breaking changes. Consider using automated dependency scanning and software composition analysis (SCA) tools to track patch status across your codebase and container supply chain.
Detection guidance
Monitor application logs for unusual OOM exceptions originating from the routing layer or request-handling components. Correlate sudden process terminations with anomalous request patterns or logs showing deep call stacks. Container orchestration platforms (Kubernetes, etc.) should alert on repeated pod evictions due to memory limits or OOMKilled status. Network-based detection is limited due to the local/physical access requirement; focus on endpoint-level monitoring. Implement resource quotas and memory limits on function containers to contain blast radius and trigger alerts before full OOM events occur. Review access logs for authentication attempts or privilege escalation that might precede exploitation.
Why prioritize this
Assign this a medium priority within your patch cycle. While the CVSS score is moderate and the access barrier is high, Spring Cloud Function is widely used in serverless and microservice architectures where availability is critical. Organizations with strict zero-trust policies and strong lateral-movement controls can defer patching slightly, but those with permissive internal networks, shared infrastructure, or hostile-environment assumptions should prioritize rapid remediation. Unsupported version users should escalate this to high priority due to the absence of any security maintenance.
Risk score, explained
The CVSS 3.1 score of 5.7 (MEDIUM) reflects a denial-of-service vector with availability impact (A:H) but no confidentiality or integrity compromise. The physical/local access requirement (AV:P, PR:L) substantially reduces the overall score compared to a remotely exploitable variant. The user-interaction flag (UI:R) adds a further constraint. In practice, the risk to your environment depends on your network architecture, access controls, and operational posture; organizations with strong perimeter and lateral-movement defenses may treat this as lower risk, while those with permissive internal controls should weight it higher.
Frequently asked questions
Is this vulnerability exploitable remotely over the internet?
No. CVE-2026-40989 requires either physical access to the host or authenticated local access (PR:L per the CVSS vector). It cannot be triggered by unauthenticated remote requests to an internet-facing Spring Cloud Function endpoint. However, if an attacker has already compromised another service or user account on your network, they could attempt local exploitation.
Do all Spring Cloud Function versions before 3.2.16 require patching?
Yes. Any version not explicitly listed as patched—including all versions prior to 3.2.x—remains vulnerable. If you are running unsupported legacy versions, you must either upgrade to a current supported version or implement strict network isolation as an interim control.
What happens when this vulnerability is exploited?
The application crashes due to out-of-memory (OOM) error, rendering the function unavailable. In container environments, this typically triggers pod eviction or restart. No data is stolen or modified; the impact is purely denial-of-service.
How can I verify if my Spring Cloud Function version is patched?
Check your application's dependency manifest (pom.xml for Maven, build.gradle for Gradle, etc.) for the exact Spring Cloud Function version. Compare it against the patched version thresholds provided. Use SCA tools to automate this verification across your codebase and deployed containers.
This analysis is provided for informational purposes based on publicly available CVE data current as of the publication and modification dates listed. SEC.co does not warrant the completeness or accuracy of vendor patch information; always verify specific patch versions and applicability with official VMware Spring Cloud Function security advisories and release notes. CVSS scores and KEV status reflect data as of publication and may change. Organizations should conduct their own risk assessment based on their specific deployment topology, access controls, and operational environment. This document does not constitute legal or compliance advice. Consult with your security, operations, and compliance teams before making remediation decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46149HIGHLinux Kernel SCSI Target Memory Disclosure & DoS Vulnerability
- CVE-2026-40990MEDIUMSpring Cloud Function OOM Denial-of-Service Vulnerability
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2018-25423MEDIUMBuffer Overflow Denial of Service in Arm Whois 3.11