Full Report
Spring security advisory (AV26-558)
Analysis Summary
# Vulnerability: Micrometer Denial of Service (DoS) Vulnerabilities
## CVE Details
- **CVE ID:** CVE-2026-40984, CVE-2026-40983
- **CVSS Score:** Not explicitly provided in the summary, typically rated **High** for availability impact.
- **CWE:** CWE-400 (Uncontrolled Resource Consumption)
## Affected Systems
- **Products:** Micrometer, Micrometer-core, Jetty11, Jetty12
- **Versions:**
- Micrometer: Multiple versions (Refer to vendor documentation for specific version ranges)
- Jetty: 11.x and 12.x series
- **Configurations:** Systems utilizing Micrometer HTTP or gRPC server instrumentations for monitoring and metrics collection.
## Vulnerability Description
These vulnerabilities involve Denial of Service (DoS) flaws within Micrometer's server instrumentation components:
- **CVE-2026-40984:** Affects HTTP server instrumentations. A flaw in how HTTP requests are processed for metrics collection can lead to excessive resource consumption (memory or CPU), causing the server to become unresponsive.
- **CVE-2026-40983:** Affects gRPC server instrumentations. Similarly, maliciously crafted gRPC calls or specific traffic patterns can exhaust server resources via the instrumentation layer.
## Exploitation
- **Status:** Vulnerability published; exploitation status not specified in the advisory.
- **Complexity:** Low to Medium.
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** None.
- **Integrity:** None.
- **Availability:** High (Service interruption or exhaustion of system resources).
## Remediation
### Patches
Spring and the Micrometer project have released updates to address these flaws. Users are advised to upgrade to the latest stable versions of:
- Micrometer-core
- Micrometer Jetty instrumentations (Jetty 11 and 12)
### Workarounds
- **Disable Instrumentation:** If immediate patching is not possible, temporarily disabling the specific HTTP or gRPC instrumentation metrics may mitigate the risk.
- **Rate Limiting:** Implement strict rate limiting and request size filtering at the edge (WAF/API Gateway) to reduce the volume of potentially malicious traffic reaching the instrumented endpoints.
## Detection
- **Indicators of Compromise:** Unusual spikes in CPU or memory usage specifically tied to the monitoring/metrics threads or classes.
- **Detection Methods:** Monitor for "Out of Memory" errors or significant latency increases in applications where Micrometer metrics are gathered.
## References
- [Vendor Advisory: CVE-2026-40984](https[:]//spring[.]io/security/cve-2026-40984)
- [Vendor Advisory: CVE-2026-40983](https[:]//spring[.]io/security/cve-2026-40983)
- [Spring Security Advisories](https[:]//spring[.]io/security)
- [Canadian Centre for Cyber Security (AV26-558)](https[:]//www[.]cyber[.]gc[.]ca/en/alerts-advisories/spring-security-advisory-av26-558)