CVE-2026-40980: CWE-400: Uncontrolled Resource Consumption in Spring Spring AI
In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
AI Analysis
Technical Summary
This vulnerability (CVE-2026-40980) in Spring AI arises from improper handling of PDF files by the ForkPDFLayoutTextStripper, which can be exploited by a malicious PDF to cause excessive memory allocation. This uncontrolled resource consumption (CWE-400) can lead to denial of service conditions. Affected versions are 1.0.0 to 1.0.5 and 1.1.0 to 1.1.4, with fixes released in 1.0.6 and 1.1.5. The CVSS 3.1 base score is 6.5, reflecting network attack vector, low attack complexity, required privileges, no user interaction, unchanged scope, no confidentiality or integrity impact, but high availability impact.
Potential Impact
Successful exploitation results in denial of service through excessive memory consumption, potentially causing application or system instability. There is no impact on confidentiality or integrity. No known active exploits have been reported.
Mitigation Recommendations
Upgrading to Spring AI versions 1.0.6 or 1.1.5 or later resolves this vulnerability. Since the vendor has released fixed versions, applying these official patches is the recommended remediation. No temporary or alternative mitigations are indicated.
CVE-2026-40980: CWE-400: Uncontrolled Resource Consumption in Spring Spring AI
Description
In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-40980) in Spring AI arises from improper handling of PDF files by the ForkPDFLayoutTextStripper, which can be exploited by a malicious PDF to cause excessive memory allocation. This uncontrolled resource consumption (CWE-400) can lead to denial of service conditions. Affected versions are 1.0.0 to 1.0.5 and 1.1.0 to 1.1.4, with fixes released in 1.0.6 and 1.1.5. The CVSS 3.1 base score is 6.5, reflecting network attack vector, low attack complexity, required privileges, no user interaction, unchanged scope, no confidentiality or integrity impact, but high availability impact.
Potential Impact
Successful exploitation results in denial of service through excessive memory consumption, potentially causing application or system instability. There is no impact on confidentiality or integrity. No known active exploits have been reported.
Mitigation Recommendations
Upgrading to Spring AI versions 1.0.6 or 1.1.5 or later resolves this vulnerability. Since the vendor has released fixed versions, applying these official patches is the recommended remediation. No temporary or alternative mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- vmware
- Date Reserved
- 2026-04-16T02:19:04.616Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f0788fcbff5d8610e928ce
Added to database: 4/28/2026, 9:06:23 AM
Last enriched: 4/28/2026, 9:22:11 AM
Last updated: 4/29/2026, 2:44:07 AM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.