CVE-2026-41849 PUBLISHED

Spring Framework Denial of Service via Integer Overflow in SpEL Expressions

Assigner: vmware
Reserved: 22.04.2026 Published: 09.06.2026 Updated: 09.06.2026

An integer overflow vulnerability exists in the evaluation logic of the Spring Expression Language (SpEL). An attacker can exploit this by supplying a specially crafted SpEL expression that triggers excessive resource consumption, resulting in a Denial of Service (DoS).

Affected versions: Spring Framework 5.3.0 through 5.3.48.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Spring
Product	Spring Framework
Versions	Default: unaffected affected from 5.3.0 to 5.3.49 (excl.)

References

https://spring.io/security/cve-2026-41849

Problem Types

CWE-190: Integer Overflow or Wraparound CWE

Impacts

An attacker who can supply user-controlled SpEL expressions can trigger an integer overflow in the evaluation logic, causing excessive resource consumption and denial of service.