Description
In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`.

Affected versions:
Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
Published: 2026-04-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring AI can be forced to allocate an unreasonable amount of memory when it processes a maliciously crafted PDF file through the ForkPDFLayoutTextStripper. The excessive memory consumption leads to resource exhaustion, potentially causing the application to become unresponsive or crash. The weakness is a classic example of uncontrolled resource consumption, identified as CWE‑400.

Affected Systems

The affected product is Spring AI. Versions 1.0.0 through 1.0.5 and 1.1.0 through 1.1.4 are vulnerable; the issue was resolved in Spring AI 1.0.6 and 1.1.5.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate to high severity. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting that public exploitation may be limited. The likely attack vector is the delivery of a specially crafted PDF to a Spring AI instance that processes user‑supplied documents; an attacker could then induce memory exhaustion and potentially deny service to legitimate users.

Generated by OpenCVE AI on April 28, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring AI to a fixed release (1.0.6 or 1.1.5).
  • Restrict the size of PDF files accepted by the application and perform strict validation before invoking ForkPDFLayoutTextStripper.
  • Apply application‑level memory quotas or OS‑level resource limits to prevent a single request from consuming excessive memory.

Generated by OpenCVE AI on April 28, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-26gg-9gv2-v27j Spring AI Vulnerable to OOM by attacker-controlled PDF
References
Link Providers
https://spring.io/security/cve-2026-40980 cve-icon cve-icon
History

Thu, 30 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Ai
CPEs cpe:2.3:a:vmware:spring_ai:*:*:*:*:*:*:*:*
Vendors & Products Vmware
Vmware spring Ai

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring
Vendors & Products Spring
Spring spring

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Title Memory Exhaustion via Malformed PDF in Spring AI

Tue, 28 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Spring Spring
Vmware Spring Ai
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-28T12:32:40.140Z

Reserved: 2026-04-16T02:19:04.616Z

Link: CVE-2026-40980

cve-icon Vulnrichment

Updated: 2026-04-28T12:32:36.344Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T09:16:16.890

Modified: 2026-04-29T18:15:44.910

Link: CVE-2026-40980

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:00:09Z

Weaknesses