CVE-2026-6936 - Vulnerability Details

- IBM i is Affected by a Denial of Service Vulnerability []

Description

IBM i 7.6, 7.5, 7.4, and 7.3 s vulnerable to a denial-of-service attack due to uncontrolled recursion in the Integrated Language Environment (ILE) compiler. An authenticated attacker could exploit this vulnerability by compiling specially crafted source code containing a specific combination of statements.

Published: 2026-05-27

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

IBM i 7.6, 7.5, 7.4, and 7.3 are vulnerable to a denial‑of‑service condition caused by uncontrolled recursion in the Integrated Language Environment compiler. An attacker who is able to authenticate and compile source code can supply specially crafted statements that trigger infinite recursion, exhausting system resources and preventing the system from processing additional requests. This weakness falls under CWE‑674 and results in loss of availability for any service using the affected compiler.

Affected Systems

The affected products are IBM i versions 7.6, 7.5, 7.4, and 7.3. These runtimes expose the ILE compiler component that is susceptible to the recursion flaw.

Risk and Exploitability

The vulnerability has a CVSS score of 6.5 and is not currently listed in the CISA KEV catalog. No EPSS score is available, so the probability of exploitation is unknown. The attack vector requires an authenticated user with access to the compilation function; an attacker can trigger the flaw by uploading or providing malicious source code that contains the recursive statement pattern.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

IBM

affected

Version	Status	Constraints
`7.6`	affected	≤ 11.5.9
`7.5`	affected	≤ 12.1.4
`7.4`	affected	—
`7.3`	affected	—

No data.

Vendor Product Confidence Versions

Ibm

95%

Version	Status	Scheme	Platform
`[7.6,11.5.9]`	affected	semver	—
`[7.5,12.1.4]`	affected	semver	—
`7.4`	affected	generic	—
`7.3`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

IBM i Release5770-999 PTF Number(s)PTF Download Link(s)7.6MJ09365 https://www.ibm.com/mysupport/s/fix-information?legacy=MJ09365 7.5MJ09335 https://www.ibm.com/mysupport/s/fix-information?legacy=MJ09335 7.4MJ09334 https://www.ibm.com/mysupport/s/fix-information?legacy=MJ09334 7.3MJ09332 https://www.ibm.com/mysupport/s/fix-information?legacy=MJ09332 IBM recommends users running unsupported versions of affected products upgrade to a supported and fixed version of affected products.

OpenCVE Recommended Actions

Apply the IBM i Patch Team Fix corresponding to your operating system version (e.g., MJ09365 for 7.6, MJ09335 for 7.5, MJ09334 for 7.4, MJ09332 for 7.3).
After installing the patch, conduct a test compilation of a known malicious source file to confirm the recursion is no longer triggered.
If a supported release is available, upgrade to the latest IBM i release (e.g., Release5770‑999) to receive all security updates and additional mitigations.

Generated by OpenCVE AI on May 27, 2026 at 17:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.ibm.com/support/pages/node/7272908

History

Wed, 27 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		IBM i 7.6, 7.5, 7.4, and 7.3 s vulnerable to a denial-of-service attack due to uncontrolled recursion in the Integrated Language Environment (ILE) compiler. An authenticated attacker could exploit this vulnerability by compiling specially crafted source code containing a specific combination of statements.
Title		IBM i is Affected by a Denial of Service Vulnerability []
First Time appeared		Ibm Ibm i
Weaknesses		CWE-674
CPEs		cpe:2.3:a:ibm:i:7.3.0:::::::* cpe:2.3:a:ibm:i:7.3:::::::* cpe:2.3:a:ibm:i:7.4.0:::::::* cpe:2.3:a:ibm:i:7.4:::::::* cpe:2.3:a:ibm:i:7.5.0:::::::* cpe:2.3:a:ibm:i:7.5:::::::* cpe:2.3:a:ibm:i:7.6.0:::::::* cpe:2.3:a:ibm:i:7.6:::::::*
Vendors & Products		Ibm Ibm i
References		https://www.ibm.com/support/pages/node/7272908
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Ibm I

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-05-27T13:10:46.314Z

Updated: 2026-05-27T15:30:14.915Z

Reserved: 2026-04-23T19:11:07.049Z

Link: CVE-2026-6936

Vulnrichment

Updated: 2026-05-27T15:30:10.816Z

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:34.923

Modified: 2026-05-27T14:53:51.833

Link: CVE-2026-6936

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T04:45:07Z

Weaknesses

CWE-674

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object