Bug 2487394 (CVE-2026-41716) - CVE-2026-41716 Spring Data Commons: Spring Data Commons: Denial of Service due to cache exhaustion via attacker-supplied strings
Summary: CVE-2026-41716 Spring Data Commons: Spring Data Commons: Denial of Service du...
Keywords:
Status: NEW
Alias: CVE-2026-41716
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-10 00:02 UTC by OSIDB Bzimport
Modified: 2026-07-06 12:57 UTC (History)
24 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-10 00:02:38 UTC
Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests.

Affected versions:
Spring Data Commons 2.7.0 through 2.7.19; 3.3.0 through 3.3.16; 3.4.0 through 3.4.14; 3.5.0 through 3.5.11; 4.0.0 through 4.0.5.


Note You need to log in before you can comment on or make changes to this bug.