CVE-2026-40984

Summary

In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Affected versions: micrometer-core 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18; 1.9.0 through 1.9.17. micrometer-jetty11 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18. micrometer-jetty12 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18.

Affected Software

VendorProductVersion RangeStatus
SpringMicrometer1.16.0 < 1.16.5.1affected
SpringMicrometer1.15.0 < 1.15.11.1affected
SpringMicrometer1.14.0 < 1.14.16affected
SpringMicrometer1.13.0 < 1.13.19affected
SpringMicrometer1.9.0 < 1.9.18affected
SpringMicrometer1.16.0 < 1.16.5.1affected
SpringMicrometer1.15.0 < 1.15.11.1affected
SpringMicrometer1.14.0 < 1.14.16affected
SpringMicrometer1.13.0 < 1.13.19affected
SpringMicrometer1.16.0 < 1.16.6affected
SpringMicrometer1.15.0 < 1.15.11.affected
SpringMicrometer1.14.0 < 1.14.15.1affected
SpringMicrometer1.13.0 < 1.13.19affected

Weaknesses

  • CWE-400: CWE-400: Uncontrolled Resource Consumption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

micrometer-core: micrometer-jetty11: micrometer-jetty12: Micrometer: Denial of Service via specially crafted HTTP requests

Additional References

References