{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40977", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-04-16T02:19:04.616Z", "datePublished": "2026-04-27T23:36:06.654Z", "dateUpdated": "2026-04-28T14:34:36.220Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-27T23:36:06.654Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-59: Improper Link Resolution Before File Access", "type": "CWE", "cweId": "CWE-59"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Per CVSS v3.1: Confidentiality NONE; Integrity LOW; Availability HIGH."}]}], "affected": [{"vendor": "Spring", "product": "Spring Boot", "versions": [{"status": "affected", "version": "4.0.0", "lessThan": "4.0.6", "versionType": "custom"}, {"status": "affected", "version": "3.5.0", "lessThan": "3.5.14", "versionType": "custom"}, {"status": "affected", "version": "3.4.0", "lessThan": "3.4.16", "versionType": "custom"}, {"status": "affected", "version": "3.3.0", "lessThan": "3.3.19", "versionType": "custom"}, {"status": "affected", "version": "2.7.0", "lessThan": "2.7.33", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "When an application is configured to use `ApplicationPidFileWriter`, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started.\n\nAffected: Spring Boot 4.0.0\u20134.0.5 (fix 4.0.6), 3.5.0\u20133.5.13 (fix 3.5.14), 3.4.0\u20133.4.15 (fix 3.4.16), 3.3.0\u20133.3.18 (fix 3.3.19), 2.7.0\u20132.7.32 (fix 2.7.33); PID file / symlink behavior (`ApplicationPidFileWriter`). Versions that are no longer supported are also affected per vendor advisory.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>When an application is configured to use <code>ApplicationPidFileWriter</code>, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started.</p><p>Affected: Spring Boot 4.0.0\u20134.0.5 (fix 4.0.6), 3.5.0\u20133.5.13 (fix 3.5.14), 3.4.0\u20133.4.15 (fix 3.4.16), 3.3.0\u20133.3.18 (fix 3.3.19), 2.7.0\u20132.7.32 (fix 2.7.33); PID file / symlink behavior (<code>ApplicationPidFileWriter</code>). Versions that are no longer supported are also affected per vendor advisory.</p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-40977"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T13:55:11.041412Z", "id": "CVE-2026-40977", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:34:36.220Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40977", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T13:55:11.041412Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:55:15.321Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Per CVSS v3.1: Confidentiality NONE; Integrity LOW; Availability HIGH."}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Boot", "versions": [{"status": "affected", "version": "4.0.0", "lessThan": "4.0.6", "versionType": "custom"}, {"status": "affected", "version": "3.5.0", "lessThan": "3.5.14", "versionType": "custom"}, {"status": "affected", "version": "3.4.0", "lessThan": "3.4.16", "versionType": "custom"}, {"status": "affected", "version": "3.3.0", "lessThan": "3.3.19", "versionType": "custom"}, {"status": "affected", "version": "2.7.0", "lessThan": "2.7.33", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-40977"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "When an application is configured to use `ApplicationPidFileWriter`, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started.\n\nAffected: Spring Boot 4.0.0\u20134.0.5 (fix 4.0.6), 3.5.0\u20133.5.13 (fix 3.5.14), 3.4.0\u20133.4.15 (fix 3.4.16), 3.3.0\u20133.3.18 (fix 3.3.19), 2.7.0\u20132.7.32 (fix 2.7.33); PID file / symlink behavior (`ApplicationPidFileWriter`). Versions that are no longer supported are also affected per vendor advisory.", "supportingMedia": [{"type": "text/html", "value": "<p>When an application is configured to use <code>ApplicationPidFileWriter</code>, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started.</p><p>Affected: Spring Boot 4.0.0\u20134.0.5 (fix 4.0.6), 3.5.0\u20133.5.13 (fix 3.5.14), 3.4.0\u20133.4.15 (fix 3.4.16), 3.3.0\u20133.3.18 (fix 3.3.19), 2.7.0\u20132.7.32 (fix 2.7.33); PID file / symlink behavior (<code>ApplicationPidFileWriter</code>). Versions that are no longer supported are also affected per vendor advisory.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-59", "description": "CWE-59: Improper Link Resolution Before File Access"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-27T23:36:06.654Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40977", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:34:36.220Z", "dateReserved": "2026-04-16T02:19:04.616Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-04-27T23:36:06.654Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "5B1C9BD7-7555-4B3D-AED9-60C3C13DCF46", "versionEndExcluding": "2.7.33", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "28EE6470-24FD-49D1-A2F0-7A19B290A161", "versionEndExcluding": "3.3.19", "versionStartIncluding": "3.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "758A9E8F-0C52-43D9-8D84-69622B345A4E", "versionEndExcluding": "3.4.16", "versionStartIncluding": "3.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "D23096A1-8269-46C5-9215-9098E87D0A24", "versionEndExcluding": "3.5.14", "versionStartIncluding": "3.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "12A166C5-8B55-4BA3-AA8B-6024A257D441", "versionEndExcluding": "4.0.6", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When an application is configured to use `ApplicationPidFileWriter`, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started.\n\nAffected: Spring Boot 4.0.0\u20134.0.5 (fix 4.0.6), 3.5.0\u20133.5.13 (fix 3.5.14), 3.4.0\u20133.4.15 (fix 3.4.16), 3.3.0\u20133.3.18 (fix 3.3.19), 2.7.0\u20132.7.32 (fix 2.7.33); PID file / symlink behavior (`ApplicationPidFileWriter`). Versions that are no longer supported are also affected per vendor advisory."}], "id": "CVE-2026-40977", "lastModified": "2026-04-30T13:37:07.597", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 4.2, "source": "security@vmware.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-28T00:16:24.947", "references": [{"source": "security@vmware.com", "tags": ["Vendor Advisory"], "url": "https://spring.io/security/cve-2026-40977"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "security@vmware.com", "type": "Secondary"}]}

{"bugzilla": {"description": "Spring Boot: Spring Boot: Local file corruption via PID file manipulation", "id": "2463329", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463329"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H", "status": "draft"}, "cwe": "CWE-59", "details": ["A flaw was found in Spring Boot when an application is configured to use `ApplicationPidFileWriter`. A local attacker with write access to the PID file's location can exploit this vulnerability to corrupt one arbitrary file on the host each time the application is started. This can lead to data integrity issues or a denial of service (DoS) by rendering critical system files unusable."], "name": "CVE-2026-40977", "package_state": [{"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Fix deferred", "package_name": "spring-boot", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:amq_clients:2023", "fix_state": "Fix deferred", "package_name": "spring-boot", "product_name": "Red Hat AMQ Clients"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Fix deferred", "package_name": "spring-boot", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Fix deferred", "package_name": "spring-boot", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Fix deferred", "package_name": "spring-boot", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "spring-boot", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "log4j:2/log4j", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "log4j", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "spring-boot", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "spring-boot", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "spring-boot", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "spring-boot", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/openvsx-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Fix deferred", "package_name": "spring-boot", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Fix deferred", "package_name": "spring-boot", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2026-04-27T23:36:06Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40977\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40977\nhttps://spring.io/security/cve-2026-40977"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.0.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.5.0,3.5.14)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.4.0,3.4.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.3.0,3.3.19)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.7.0,2.7.33)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Spring Boot", "source": "cna", "vendor": "Spring"}, "product": "spring_boot", "vendor": "spring"}], "analysis": {"en": {"generated_at": "2026-04-28T12:40:17.404824+00:00", "value": {"mitigation_remediation": ["Upgrade to a fixed Spring Boot release (4.0.6, 3.5.14, 3.4.16, 3.3.19, or 2.7.33 or newer).", "Make the PID file directory read\u2011only or owned by a non\u2011privileged user so that a local attacker cannot write to it.", "If the PID file writer is not needed for your deployment, disable ApplicationPidFileWriter in your Spring Boot configuration."], "summary": {"action": "Patch", "impact": "Local File Corruption"}, "threat_synthesis": {"affected_systems": "Spring Boot versions from 2.7.0 through 4.0.5 are affected. The advisory lists specific supported versions: 2.7.0\u20132.7.32 (fixed in 2.7.33), 3.3.0\u20133.3.18 (fixed in 3.3.19), 3.4.0\u20133.4.15 (fixed in 3.4.16), 3.5.0\u20133.5.13 (fixed in 3.5.14), and 4.0.0\u20134.0.5 (fixed in 4.0.6). Versions that are no longer supported are also affected per vendor advisory.", "description_and_impact": "The vulnerability resides in Spring Boot's ApplicationPidFileWriter component. A local attacker who can write to the directory where the PID file is stored can corrupt any file in that location each time the application is started. This corruption can affect application or system files, potentially leading to service disruption or other integrity violations. The weakness is a form of arbitrary file write (CWE\u201159).", "risk_and_exploitability": "The CVSS score of 4.7 indicates moderate severity. EPSS is not available and the issue is not listed in CISA's KEV catalog. Exploitation requires a local attacker with write permission to the PID file directory; no remote attack vector is described. The risk is therefore moderate for environments where such local access is possible."}}}}, "created": "2026-04-28T02:00:14.702431+00:00", "title": "Local File Corruption via Spring Boot PID File Writer Misconfiguration", "updated": "2026-04-28T12:45:31.397106+00:00", "vendors": ["spring", "spring$PRODUCT$spring_boot"]}