CVE-2026-40990 PUBLISHED

Unbounded cache for function definitions

Assigner: vmware
Reserved: 16.04.2026 Published: 01.06.2026 Updated: 01.06.2026

OOM error is possible while attempting to add infinite amount of functions to Function Registry.

Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Function 4.1.x: versions prior to 4.1.10 Spring Cloud Function 4.2.x: versions prior to 4.2.6 Spring Cloud Function 4.3.x: versions prior to 4.3.3 Spring Cloud Function 5.0.x: versions prior to 5.0.2 Older, unsupported versions are also affected.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:H
CVSS Score: 5.7

Attack Vector	Physical	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Spring
Product	Spring Cloud Function
Versions	Default: unaffected affected from 3.2.0 to 3.2.16 (excl.) affected from 4.1.0 to 4.1.10 (excl.) affected from 4.2.0 to 4.2.6 (excl.) affected from 4.3.0 to 4.3.3 (excl.) affected from 5.0.0 to 5.0.2 (excl.)

References

https://spring.io/security/cve-2026-40990

Problem Types

CWE-770 Allocation of Resources Without Limits or Throttling CWE

Impacts

OOM error is possible while attempting to add an infinite amount of functions to the Function Registry due to an unbounded cache, leading to denial of service.