CVE-2026-40980

Published: Apr 28, 2026 Last Modified: Apr 29, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 6,5
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: none
Availability: high

Description

AI Translation Available

In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`.

Affected versions:
Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)

400

Uncontrolled Resource Consumption

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Availability Access Control Other
Potential Impacts:
Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other) Bypass Protection Mechanism Other
Applicable Platforms
Technologies: AI/ML, Not Technology-Specific
Likelihood of Exploit: High
View CWE Details
Application

Spring Ai by Vmware

Product Information
Vendor Vmware
Product Spring Ai
Version Range Affected
From 1.0.0 (inclusive)
To 1.0.6 (exclusive)
cpe:2.3:a:vmware:spring_ai:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Spring Ai by Vmware

Product Information
Vendor Vmware
Product Spring Ai
Version Range Affected
From 1.1.0 (inclusive)
To 1.1.5 (exclusive)
cpe:2.3:a:vmware:spring_ai:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://spring.io/security/cve-2026-40980
https://spring.io/security/cve-2026-40980