Description
In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`.

Affected versions:
Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
Published: 2026-04-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring AI can be forced to allocate an unreasonable amount of memory when it processes a maliciously crafted PDF file through the ForkPDFLayoutTextStripper. The excessive memory consumption leads to resource exhaustion, potentially causing the application to become unresponsive or crash. The weakness is a classic example of uncontrolled resource consumption, identified as CWE‑400.

Affected Systems

The affected product is Spring AI. Versions 1.0.0 through 1.0.5 and 1.1.0 through 1.1.4 are vulnerable; the issue was resolved in Spring AI 1.0.6 and 1.1.5.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate to high severity. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting that public exploitation may be limited. The likely attack vector is the delivery of a specially crafted PDF to a Spring AI instance that processes user‑supplied documents; an attacker could then induce memory exhaustion and potentially deny service to legitimate users.

Generated by OpenCVE AI on April 28, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring AI to a fixed release (1.0.6 or 1.1.5).
  • Restrict the size of PDF files accepted by the application and perform strict validation before invoking ForkPDFLayoutTextStripper.
  • Apply application‑level memory quotas or OS‑level resource limits to prevent a single request from consuming excessive memory.

Generated by OpenCVE AI on April 28, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-40980 cve-icon cve-icon
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring
Vendors & Products Spring
Spring spring

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Title Memory Exhaustion via Malformed PDF in Spring AI

Tue, 28 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Spring Spring
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-28T12:32:40.140Z

Reserved: 2026-04-16T02:19:04.616Z

Link: CVE-2026-40980

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T09:16:16.890

Modified: 2026-04-28T20:12:42.653

Link: CVE-2026-40980

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:00:09Z

Weaknesses