CVE-2026-40977

CVE-2026-40977 PUBLISHED

Assigner: vmware
Reserved: 16.04.2026 Published: 27.04.2026 Updated: 27.04.2026

When an application is configured to use ApplicationPidFileWriter, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started.

Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); PID file / symlink behavior (ApplicationPidFileWriter). Versions that are no longer supported are also affected per vendor advisory.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H
CVSS Score: 4.7

Attack Vector	Local	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	High	Integrity Impact	Low
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Spring
Product	Spring Boot
Versions	Default: unaffected affected from 4.0.0 to 4.0.6 (excl.) affected from 3.5.0 to 3.5.14 (excl.) affected from 3.4.0 to 3.4.16 (excl.) affected from 3.3.0 to 3.3.19 (excl.) affected from 2.7.0 to 2.7.33 (excl.)

Vendor

Spring

Product

Spring Boot

Versions

Default: unaffected

affected from 4.0.0 to 4.0.6 (excl.)
affected from 3.5.0 to 3.5.14 (excl.)
affected from 3.4.0 to 3.4.16 (excl.)
affected from 3.3.0 to 3.3.19 (excl.)
affected from 2.7.0 to 2.7.33 (excl.)

References

Problem Types

CWE-59: Improper Link Resolution Before File Access CWE

Impacts

Per CVSS v3.1: Confidentiality NONE; Integrity LOW; Availability HIGH.