Memory Allocation Vulnerability in Spring AI by Pivotal Software
CVE-2026-40980

6.5MEDIUM

Key Information:

Vendor: Spring
Status: Spring Ai
Vendor: CVE Published:; 28 April 2026

What is CVE-2026-40980?

A memory allocation vulnerability exists in Spring AI, allowing attackers to craft malicious PDF files that can trigger excessive memory allocation when processed by the ForkPDFLayoutTextStripper. This could lead to resource exhaustion and potential denial of service. The issue affects versions 1.0.0 to 1.0.5 and 1.1.0 to 1.1.4, and has been mitigated in subsequent releases.

Affected Version(s)

Spring AI 1.0.0 < 1.0.6

Spring AI 1.1.0 < 1.1.5

References

https://spring.io/security/cve-2026-40980

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 28, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-40980 Data

JSON