Description
IBM Concert 1.0.0 through 2.2.0 could allow an attacker to access sensitive information in memory due to the buffer not properly clearing resources.
Published: 2026-03-25
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in IBM Concert Software versions 1.0.0 through 2.2.0. A buffer is not properly cleared when resources are released, allowing an attacker to read private data from memory. This leads to disclosure of confidential information, reflecting the improper data sanitization weakness identified as CWE-14.

Affected Systems

IBM’s Concert Software, specifically releases 1.0.0 and the 2.2.0 series, are affected. All older releases before 1.0.0 are unaffected, and the issue is fixed in version 2.3.1.

Risk and Exploitability

Based on the description, it is inferred that the attack vector is likely local or requires sufficient privileges to trigger the flaw while the application is running. The CVSS score of 6.2 denotes moderate severity. With an EPSS below 1% and no inclusion in the KEV catalog, the probability of exploitation remains low; however, the potential for sensitive data leakage warrants remediation. The flaw does not provide a documented remote execution path, but memory exposure during operation could compromise confidentiality for affected users.

Generated by OpenCVE AI on March 26, 2026 at 20:05 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.3.1 Download IBM Concert Software 2.3.1 from Container software library section of IBM Entitled Registry ( ICR https://myibm.ibm.com/products-services/containerlibrary ) and follow  installation instructions https://www.ibm.com/docs/en/concert  depending on the type of deployment.

OpenCVE Recommended Actions

  • Upgrade IBM Concert Software to version 2.3.1
  • Download the upgrade from the IBM Entitled Registry Container Software Library and follow the installation instructions

Generated by OpenCVE AI on March 26, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*

Wed, 25 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description IBM Concert 1.0.0 through 2.2.0 could allow an attacker to access sensitive information in memory due to the buffer not properly clearing resources.
Title Multiple Vulnerabilities in IBM Concert Software
First Time appeared Ibm
Ibm concert
Weaknesses CWE-14
CPEs cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:concert:2.2.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm concert
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Ibm Concert
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-03-26T17:51:17.022Z

Reserved: 2025-11-06T18:13:00.559Z

Link: CVE-2025-64646

cve-icon Vulnrichment

Updated: 2026-03-26T17:49:23.534Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T21:16:25.647

Modified: 2026-03-26T17:51:38.703

Link: CVE-2025-64646

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:29:38Z

Weaknesses