CVE-2026-22740

Summary

A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space.

Older, unsupported versions are also affected.

Affected Software

VendorProductVersion RangeStatus
VMwareSpring Framework7.0.0 < 7.0.7affected
VMwareSpring Framework6.2.0 < 6.2.18affected
VMwareSpring Framework6.1.0 < 6.1.27affected
VMwareSpring Framework5.3.0 < 5.3.48affected

Weaknesses

  • CWE-400: CWE-400 Uncontrolled Resource Consumption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References