CVE-2026-41849: Spring Framework SpEL Integer Overflow DoS Vulnerability
Spring Framework versions 5.3.0 through 5.3.48 contain an integer overflow flaw in the Spring Expression Language (SpEL) evaluation engine. By crafting a malicious SpEL expression, an unauthenticated attacker can trigger uncontrolled resource consumption on the affected system, leading to denial of service. No authentication is required, and the attack can be mounted remotely over the network.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-190
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
An integer overflow vulnerability exists in the evaluation logic of the Spring Expression Language (SpEL). An attacker can exploit this by supplying a specially crafted SpEL expression that triggers excessive resource consumption, resulting in a Denial of Service (DoS). Affected versions: Spring Framework 5.3.0 through 5.3.48.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-41849 is an integer overflow vulnerability (CWE-190) residing in SpEL's expression evaluation logic. When a specially constructed expression is processed, the integer overflow condition causes the evaluator to consume excessive CPU and memory resources. The vulnerability exists in Spring Framework 5.3.0 through 5.3.48. The CVSS v3.1 score of 7.5 reflects a high-severity network-accessible denial-of-service with no authentication barrier, though the attack does not compromise confidentiality or integrity.
Business impact
This vulnerability enables remote attackers to degrade or completely disable applications relying on Spring Framework's expression language capabilities. Organizations using affected versions face service unavailability, impacting user access and business continuity. The risk is elevated for applications that expose SpEL evaluation to untrusted input—either directly through user-facing features or indirectly through integrations. Recovery requires resource restart or mitigation deployment, creating operational overhead.
Affected systems
Spring Framework versions 5.3.0 through 5.3.48 are affected. Organizations should audit their dependency trees to identify which applications and microservices pull in these versions. This includes direct Spring Framework usage and indirect inclusion through Spring Boot, Spring Cloud, and other Spring ecosystem projects that may bundle the vulnerable framework version.
Exploitability
The attack vector is network-accessible with low complexity and no prerequisites. An attacker needs only to submit a crafted SpEL expression to an application that evaluates such expressions. The barrier to exploitation is low; no special tools or insider knowledge is required. However, exploitability depends on whether the target application actually processes untrusted SpEL input. Applications that only use SpEL in static, internal configurations are not exposed.
Remediation
Upgrade Spring Framework to a version beyond 5.3.48 that incorporates the integer overflow fix. Verify patch availability against the VMware Spring Framework security advisory. For applications unable to upgrade immediately, implement input validation and sanitization on any user-supplied SpEL expressions, and restrict SpEL evaluation to trusted sources only. Consider disabling or limiting SpEL functionality where not essential.
Patch guidance
Apply the latest patched release of Spring Framework beyond version 5.3.48. Consult the official VMware/Pivotal Spring Framework security advisory for the exact patched version number and release date. Test patches in a non-production environment to confirm compatibility with your application stack, as integer overflow fixes may affect expression evaluation edge cases. Plan updates for both direct Spring Framework dependencies and transitive dependencies through Spring Boot and related projects.
Detection guidance
Monitor application logs for malformed or unusually complex SpEL expressions, particularly those containing nested integer operations or large numeric literals. Implement network intrusion detection rules to flag HTTP requests containing suspicious expression patterns. Establish baseline resource consumption metrics for SpEL evaluation; sustained CPU or memory spikes during expression processing may indicate attack attempts. Correlate anomalous behavior with access patterns to determine if expressions originate from unexpected sources.
Why prioritize this
This vulnerability merits immediate attention despite not being in the KEV catalog. The high CVSS score (7.5), ease of remote exploitation, and lack of authentication requirements make it a priority target for adversaries. Organizations running Spring Framework 5.3.x in production should prioritize patching. However, actual risk depends on whether the application processes untrusted SpEL expressions; internal-only use cases are lower priority.
Risk score, explained
The CVSS v3.1 score of 7.5 (HIGH) reflects network accessibility (AV:N), low attack complexity (AC:L), no privilege or user interaction requirements (PR:N/UI:N), and high availability impact (A:H). The score appropriately penalizes the broad attack surface but stops short of CRITICAL because confidentiality and integrity are unaffected. Organizations with internet-facing applications that evaluate expressions should treat this as higher priority than those with internal-only deployments.
Frequently asked questions
Which Spring Framework versions are vulnerable?
Spring Framework 5.3.0 through 5.3.48 are affected. Verify your exact version in your build configuration (pom.xml, gradle.build, or dependency manager) and check whether you depend on Spring Framework directly or transitively through Spring Boot.
Does this vulnerability affect Spring Framework 6.x or 4.x?
The current advisory specifically documents versions 5.3.0 through 5.3.48. Consult the VMware Spring Framework security advisory to confirm whether 6.x, 5.2.x, or 4.x versions are addressed by the same patch or require separate fixes.
Can we mitigate this without upgrading if we don't use SpEL?
If your application does not use Spring Expression Language or only uses it for static, hardcoded expressions that are never evaluated against user input, the practical risk is reduced. However, upgrading remains the recommended long-term solution to eliminate the underlying flaw and future-proof your environment.
How do we know if our application accepts untrusted SpEL expressions?
Search your codebase for SpEL parsing calls (SpelExpressionParser, @Value with #{...} syntax, or direct Expression.getValue() calls). Trace whether the parsed expressions originate from user input, configuration files, or external systems. If expressions come only from internal code, risk is minimal; if sourced from user input, the vulnerability is exploitable.
This analysis is provided for informational purposes. No warranty is given regarding accuracy, completeness, or timeliness of the information. Verify all patch versions, CVE details, and remediation steps against official VMware Spring Framework security advisories and your vendor documentation before taking action. Test patches in non-production environments. SEC.co does not provide legal or compliance advice; consult your security team and legal counsel regarding disclosure obligations and risk tolerance. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0095HIGHAndroid Bluetooth Integer Overflow Privilege Escalation
- CVE-2026-10118HIGHInteger Overflow in Poppler Splash Backend Leading to Code Execution
- CVE-2026-10921HIGHChrome Dawn Integer Overflow Sandbox Escape Vulnerability
- CVE-2026-10924HIGHChrome Integer Overflow Sandbox Escape Vulnerability
- CVE-2026-11085HIGHGPU Integer Overflow in Chrome on Android – Patch Now
- CVE-2026-37462HIGHGoBGP v4.3.0 Integer Underflow DoS Vulnerability
- CVE-2026-42916HIGHWindows NT Kernel Integer Overflow Privilege Escalation Vulnerability
- CVE-2026-42974HIGHWindows Performance Monitor Integer Overflow Remote Code Execution Vulnerability