CVE-2025-2240: Improperly Controlled Sequential Memory Allocation
A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.
AI Analysis
Technical Summary
CVE-2025-2240 is an out-of-memory vulnerability in the smallrye-fault-tolerance-core component of SmallRye Fault Tolerance, part of Red Hat Build of Apache Camel 4.8 for Quarkus 3.15. The vulnerability is triggered externally via calls to the metrics URI, where each call creates a new object in meterMap, leading to uncontrolled sequential memory allocation. This can cause a denial of service due to resource exhaustion. The CVSS 3.1 base score is 7.5 (High), reflecting network attack vector, low complexity, no privileges or user interaction required, and impact limited to availability. Red Hat has issued security advisories and released fixed versions (Quarkus 3.15.4 and Apache Camel 4.8 for Quarkus 3.15.4) that address this issue.
Potential Impact
The vulnerability allows an unauthenticated attacker to cause a denial of service by triggering an out-of-memory condition through repeated calls to the metrics URI. This can disrupt availability of affected systems running vulnerable versions of Red Hat Build of Apache Camel 4.8 for Quarkus 3.15. No confidentiality or integrity impacts are reported.
Mitigation Recommendations
Red Hat has released official security updates that fix this vulnerability in Red Hat Build of Quarkus 3.15.4 and Red Hat Build of Apache Camel 4.8 for Quarkus 3.15.4. Users should apply these updates as soon as possible. Before applying the update, back up existing installations, including applications, configuration files, and databases. Patch status is confirmed by Red Hat advisories: https://access.redhat.com/errata/RHSA-2025:3376 and https://access.redhat.com/errata/RHSA-2025:3541. No alternative mitigations are indicated in the vendor advisory.
CVE-2025-2240: Improperly Controlled Sequential Memory Allocation
Description
A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-2240 is an out-of-memory vulnerability in the smallrye-fault-tolerance-core component of SmallRye Fault Tolerance, part of Red Hat Build of Apache Camel 4.8 for Quarkus 3.15. The vulnerability is triggered externally via calls to the metrics URI, where each call creates a new object in meterMap, leading to uncontrolled sequential memory allocation. This can cause a denial of service due to resource exhaustion. The CVSS 3.1 base score is 7.5 (High), reflecting network attack vector, low complexity, no privileges or user interaction required, and impact limited to availability. Red Hat has issued security advisories and released fixed versions (Quarkus 3.15.4 and Apache Camel 4.8 for Quarkus 3.15.4) that address this issue.
Potential Impact
The vulnerability allows an unauthenticated attacker to cause a denial of service by triggering an out-of-memory condition through repeated calls to the metrics URI. This can disrupt availability of affected systems running vulnerable versions of Red Hat Build of Apache Camel 4.8 for Quarkus 3.15. No confidentiality or integrity impacts are reported.
Mitigation Recommendations
Red Hat has released official security updates that fix this vulnerability in Red Hat Build of Quarkus 3.15.4 and Red Hat Build of Apache Camel 4.8 for Quarkus 3.15.4. Users should apply these updates as soon as possible. Before applying the update, back up existing installations, including applications, configuration files, and databases. Patch status is confirmed by Red Hat advisories: https://access.redhat.com/errata/RHSA-2025:3376 and https://access.redhat.com/errata/RHSA-2025:3541. No alternative mitigations are indicated in the vendor advisory.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- redhat
- Date Reserved
- 2025-03-12T02:36:02.101Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/errata/RHSA-2025:3376","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:3541","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:3543","vendor":"Red Hat"},{"url":"https://access.redhat.com/security/cve/CVE-2025-2240","vendor":"Red Hat"}]
Threat ID: 682d9816c4522896dcbd6c33
Added to database: 5/21/2025, 9:08:38 AM
Last enriched: 5/7/2026, 1:45:10 AM
Last updated: 5/9/2026, 4:19:42 PM
Views: 80
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.