Missing Release of Memory after Effective Lifetime Affecting org.springframework:spring-web package, versions [5.3.0, 6.0.0)[6.1.0, 6.2.19)[7.0.0-M1, 7.0.8)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Social Trends
EPSS
0.25% (16th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Missing Release of Memory after Effective Lifetime vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGSPRINGFRAMEWORK-17253520
  • published9 Jun 2026
  • disclosed8 Jun 2026
  • creditUnknown

Introduced: 8 Jun 2026

NewCVE-2026-41840  (opens in a new tab)
CWE-401  (opens in a new tab)

How to fix?

Upgrade org.springframework:spring-web to version 6.0.0, 6.2.19, 7.0.8 or higher.

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime via multipart request processing in Spring WebFlux. An attacker can cause denial of service by sending crafted multipart requests that trigger a memory leak during request processing, leading to excessive memory consumption and potentially causing the application to become unavailable.

Note: This is only exploitable if the application uses Spring WebFlux and exposes an endpoint that accepts multipart requests.

CVSS Base Scores

version 4.0
version 3.1