CVE-2026-40990— Unbounded cache for function definitions
Possible ATT&CK Techniques 1AI
T1496 · Resource HijackingAffected Version Matrix 5
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Spring | Spring Cloud Function | 3.2.0< 3.2.16 | affected |
4.1.0< 4.1.10 | affected | ||
4.2.0< 4.2.6 | affected | ||
4.3.0< 4.3.3 | affected | ||
5.0.0< 5.0.2 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40990
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Unbounded cache for function definitions
Source: NVD (National Vulnerability Database)
Vulnerability Description
OOM error is possible while attempting to add infinite amount of functions to Function Registry. Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Function 4.1.x: versions prior to 4.1.10 Spring Cloud Function 4.2.x: versions prior to 4.2.6 Spring Cloud Function 4.3.x: versions prior to 4.3.3 Spring Cloud Function 5.0.x: versions prior to 5.0.2 Older, unsupported versions are also affected.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
不加限制或调节的资源分配
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Spring | Spring Cloud Function | 3.2.0 ~ 3.2.16 | - |
II. Public POCs for CVE-2026-40990
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40990
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-40990 (1)
IV. Related Vulnerabilities
Same weakness: CWE-770
- CVE-2026-49754
HTTP/2 CONTINUATION flood in Mint client via unbounded heade - CVE-2026-48862
Unbounded conn.streams growth in Mint HTTP/2 client via unen - CVE-2026-49140
Nanobot < 0.2.1 Denial of Service via Matrix Media Download - CVE-2026-10533
Openshift: openshift: non-admin user can bypass resourcequot - CVE-2026-49361
Apache Fluss Netty Frame Decoder Memory Exhaustion Vulnerabi
V. Comments for CVE-2026-40990
No comments yet