{"id":"CVE-2026-40990","summary":"Unbounded cache for function definitions","details":"OOM error is possible while attempting to add infinite amount of functions to Function Registry.\n\nAffected Spring Products and Versions:\nSpring Cloud Function 3.2.x: versions prior to 3.2.16\nSpring Cloud Function 4.1.x: versions prior to 4.1.10\nSpring Cloud Function 4.2.x: versions prior to 4.2.6\nSpring Cloud Function 4.3.x: versions prior to 4.3.3\nSpring Cloud Function 5.0.x: versions prior to 5.0.2\nOlder, unsupported versions are also affected.","aliases":["GHSA-x4h3-g2x4-8gqv"],"modified":"2026-07-09T13:56:44.099686104Z","published":"2026-06-01T17:49:16.377Z","database_specific":{"cna_assigner":"vmware","cwe_ids":["CWE-770"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40990.json","unresolved_ranges":[{"extracted_events":[{"introduced":"3.2.0"},{"fixed":"3.2.16"},{"introduced":"4.1.0"},{"fixed":"4.1.10"},{"introduced":"4.2.0"},{"fixed":"4.2.6"},{"introduced":"4.3.0"},{"fixed":"4.3.3"},{"introduced":"5.0.0"},{"fixed":"5.0.2"}],"source":"AFFECTED_FIELD"}]},"references":[{"type":"WEB","url":"https://spring.io/security/cve-2026-40990"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40990.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40990"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/spring-cloud/spring-cloud-function","events":[{"introduced":"8ebf3d731f1400d34dcfd49e94c99437a3451fb9"},{"fixed":"d417ed0d581b113fd6c9112a6b3e5451497bbf4a"},{"introduced":"8eb67a5a4207593cd695e82826ec208606859eaf"},{"fixed":"081ae5189db0f351089cbf11db8d957ad99ef56c"}],"database_specific":{"extracted_events":[{"introduced":"4.3.0"},{"fixed":"4.3.3"},{"introduced":"5.0.0"},{"fixed":"5.0.2"}],"source":"CPE_RANGE","cpe":"cpe:2.3:a:vmware:spring_cloud_function:*:*:*:*:*:*:*:*"}}],"versions":["v4.3.2","v5.0.1","v4.3.1","v5.0.0","v4.3.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40990.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:H"}]}