MEDIUM 5.7

CVE-2026-40990: Spring Cloud Function OOM Denial-of-Service Vulnerability

A resource exhaustion flaw exists in Spring Cloud Function that allows an attacker to trigger out-of-memory (OOM) errors by registering an excessive number of functions in the Function Registry. The vulnerability requires local or adjacent network access and user interaction, making it a medium-severity concern primarily affecting development and hybrid deployment environments. Multiple versions across Spring Cloud Function 3.2 through 5.0 are vulnerable.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.7 MEDIUM · CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:H
Weaknesses (CWE)
CWE-770
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

OOM error is possible while attempting to add infinite amount of functions to Function Registry. Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Function 4.1.x: versions prior to 4.1.10 Spring Cloud Function 4.2.x: versions prior to 4.2.6 Spring Cloud Function 4.3.x: versions prior to 4.3.3 Spring Cloud Function 5.0.x: versions prior to 5.0.2 Older, unsupported versions are also affected.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-40990 is a denial-of-service vulnerability rooted in CWE-770 (Allocation of Resources Without Limits or Throttling). The Function Registry in Spring Cloud Function lacks proper bounds on the number of functions that can be registered, permitting an attacker with local or physical proximity access to inject an unbounded number of function definitions. This exhausts available heap memory, causing the JVM to throw OOM exceptions and crash the application. The vulnerability is context-dependent: it requires some form of user interaction or social engineering to register malicious functions, which limits its exploitability in fully automated attack scenarios.

Business impact

Organizations deploying Spring Cloud Function in microservices architectures face potential service disruption. An attacker who gains local or adjacent-network access and tricks a developer or administrator into registering untrusted functions can crash the Function Registry, interrupting downstream services that depend on it. This is particularly impactful in multi-tenant or hybrid cloud environments where function registration may be exposed via API or management interfaces. Recovery requires manual intervention and restart, introducing unplanned downtime.

Affected systems

Spring Cloud Function versions prior to: 3.2.16, 4.1.10, 4.2.6, 4.3.3, and 5.0.2 are vulnerable. Older, end-of-life versions in the 3.x, 4.x, and 5.0 lines are also affected. Organizations running Spring Cloud Function as part of Spring Cloud ecosystem deployments—particularly in containerized or Kubernetes environments—should audit their current versions immediately.

Exploitability

Exploitation requires local or adjacent network access (physical proximity or same network segment), with a low complexity attack surface once access is obtained. The requirement for user interaction—specifically convincing a developer or operator to register a function definition—raises the barrier to opportunistic exploitation but remains feasible in social engineering scenarios. The attack does not grant unauthorized data access or code execution; it is purely a denial-of-service vector. The CVSS 3.1 score of 5.7 (MEDIUM) reflects this constrained attack surface.

Remediation

Immediate action: upgrade Spring Cloud Function to patched versions (3.2.16, 4.1.10, 4.2.6, 4.3.3, or 5.0.2 and later). For organizations unable to patch immediately, implement network segmentation to restrict who can access the Function Registry API, enforce strict access controls on function registration endpoints, and monitor heap memory usage for anomalous spikes. Consider disabling dynamic function registration in production if not operationally required.

Patch guidance

VMware has released patches in the Spring Cloud Function versions specified above. Verify your current version by checking the spring-cloud-function dependency version in your pom.xml, build.gradle, or via runtime inspection (Spring Boot Actuator endpoints). Test patches in a staging environment before production deployment, as function registration behavior should be validated across your application stack. Refer to the official VMware Spring Cloud Function release notes for version-specific upgrade instructions and any breaking changes.

Detection guidance

Monitor application logs for repeated OOM exceptions originating from Spring Cloud Function components. Implement JVM memory alerting to detect sudden heap pressure or sustained high memory utilization. Track invocations to function registration endpoints (if exposed) and alert on unusually high registration rates from single sources. In containerized environments, watch for pod evictions due to memory limits. Correlate OOM events with user or API access logs to identify malicious registration patterns. Consider deploying distributed tracing to observe function lifecycle events and detect resource anomalies in real time.

Why prioritize this

While this vulnerability is MEDIUM severity with limited exploitability, it poses a direct denial-of-service threat to Spring Cloud Function deployments. Organizations should prioritize patching based on exposure: highest priority for environments where the Function Registry is exposed via untrusted APIs or accessible to a broad internal user base, and lower priority for isolated development instances with strict access controls. The patch availability and straightforward upgrade path make this a low-friction remediation effort.

Risk score, explained

The CVSS 3.1 score of 5.7 reflects a bounded attack vector (local/adjacent, requiring user interaction), no confidentiality impact, limited integrity impact, and high availability impact (OOM crashes the process). The score would be lower if physical or administrative privileges were required; it lands in MEDIUM because the user-interaction condition is somewhat weak in environments with lax function registration policies. In high-security contexts with restrictive access controls, this vulnerability's practical risk is lower than the base score suggests.

Frequently asked questions

Does this vulnerability allow remote code execution?

No. CVE-2026-40990 is strictly a denial-of-service vulnerability. It causes out-of-memory errors and crashes, not code execution or data leakage. An attacker cannot execute arbitrary commands or access sensitive data through this flaw.

Which environments are most at risk?

Environments where the Function Registry is accessible via REST APIs, exposed to untrusted internal networks, or integrated with multi-tenant platforms where users can register functions without vetting are at highest risk. Development and staging environments are often less hardened and may pose greater exposure than production.

Can I work around this without patching?

Temporarily, yes. You can restrict network access to function registration endpoints using firewalls or API gateway policies, disable dynamic registration if not operationally required, and implement strict memory limits at the JVM or container level to trigger controlled failures instead of cascading crashes. However, patching is the proper fix.

How do I know if I'm running a vulnerable version?

Check your Spring Cloud Function version in your build configuration (pom.xml or build.gradle) or at runtime using Spring Boot Actuator endpoints. Compare your version against the vulnerable ranges: 3.2.x before 3.2.16, 4.1.x before 4.1.10, 4.2.x before 4.2.6, 4.3.x before 4.3.3, and 5.0.x before 5.0.2. If you match any of these, update immediately.

This analysis is provided for informational purposes and reflects the state of publicly available information as of the publication date. Security assessments are context-dependent; your organization's actual risk may vary based on deployment topology, access controls, and operational practices. Always verify patch availability and compatibility in your specific environment before applying updates. Consult VMware's official security advisory for the most current guidance, and engage your security team for organization-specific remediation planning. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).