Skip to main content
Mallory
Back to vulnerabilities
High

DoS in Micrometer HTTP server instrumentations

IdentifiersCVE-2026-40984CWE-400· Uncontrolled Resource Consumption

CVE-2026-40984 is a high-severity denial-of-service vulnerability in Micrometer HTTP server instrumentations. According to the provided advisory content, specially crafted HTTP requests can trigger a DoS condition in applications using vulnerable versions of io.micrometer:micrometer-core, micrometer-jetty11, or micrometer-jetty12. The issue affects deployments where one or more HTTP server instrumentations from those artifacts are configured and metrics are being recorded through the affected instrumentation. Affected versions are micrometer-core 1.16.0-1.16.5, 1.15.0-1.15.11, 1.14.0-1.14.15, 1.13.0-1.13.18, and 1.9.0-1.9.17; micrometer-jetty11 1.16.0-1.16.5, 1.15.0-1.15.11, 1.14.0-1.14.15, and 1.13.0-1.13.18; and micrometer-jetty12 1.16.0-1.16.5, 1.15.0-1.15.11, 1.14.0-1.14.15, and 1.13.0-1.13.18. The specific vulnerable function is not identified in the provided content.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause denial of service against the affected application by disrupting availability through crafted HTTP requests. Based on the provided content, the primary impact is service degradation or outage in applications exposing vulnerable Micrometer HTTP server instrumentation with metrics collection enabled. No evidence is provided here of code execution, privilege escalation, or data exposure.

Mitigation

If you can’t patch tonight, do this now.

The provided advisory states that no further mitigation steps are necessary beyond upgrading. If immediate upgrade is not possible, the content does not provide an official workaround. Operationally, reducing exposure to untrusted HTTP traffic or disabling affected HTTP server instrumentation may reduce risk, but this is not stated as vendor guidance in the provided material.

Remediation

Patch, then assume compromise.

Upgrade to a fixed Micrometer release line. The provided content states that fixes are available in micrometer 1.16.6 and 1.15.12 for OSS users. Enterprise-support fixes are available in 1.14.16, 1.13.19, and 1.9.18. Users should upgrade the affected artifact line to the corresponding fixed version.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-40984
NVD
nvd.nist.gov/vuln/detail/CVE-2026-40984
MITRE CWE · CWE-400
Uncontrolled Resource Consumption
spring.io
spring.io/security/cve-2026-40984