Description
IBM HTTP Server 8.5, and 9.0 contains a buffer overflow vulnerability. A privileged user, authenticated to the Administration Server, could exploit this vulnerability to execute remote code or cause a denial of service.
Published: 2026-05-26
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM HTTP Server 8.5 and 9.0 contain a classic buffer overflow that can be triggered by a privileged user authenticated to the Administration Server. The overflow permits the attacker to execute arbitrary code or crash the server, exposing confidentiality, integrity, and availability risks. The weakness is classified as-122, Buffer Overflow.

Affected Systems

The vulnerability affects IBM HTTP Server 8.5.x and 9.0.x, including WebSphere Application Server V9.0.0.0–9.0.5.28 and V8.5.0.0–8.5.5.29. IBM recommends applying the interim fix PH71265 or installing Fix Pack 9.0.5.29 (or later) for V9, and Fix Pack 8.5.5.30 (or later) for V8, with early interim fixes available for minimal required levels.

Risk and Exploitability

The CVSS score of 8.0 marks the flaw as high severity. EPSS score is not available, indicating no current exploitation probability data. The flaw is not listed in CISA KEV, suggesting no publicly known active exploits yet. Exploitation requires the attacker to be a privileged user with administrative authentication, making the attack vector likely internal or compromised administrative access.

Generated by OpenCVE AI on May 26, 2026 at 20:36 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71265.For IBM HTTP Server used by IBM WebSphere Application Server:For V9.0.0.0 through 9.0.5.28:· Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71265--OR--· Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026). For V8.5.0.0 through 8.5.5.29:· Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71265--OR--· Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026). Additional interim fixes may be available and linked off the interim fix download page.Important NoteIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

OpenCVE Recommended Actions

  • Apply the IBM interim fix PH71265 or install the appropriate Fix Pack 8.5.5.30+ or 9.0.5.29+ on all affected IBM HTTP Server instances, ensuring the buffer overflow is patched.
  • Upgrade to the minimal required fix pack levels, then apply the interim fix, and restart the server to activate the updates in WebSphere Application Server environments.
  • Configure network segmentation to limit privileged administrative traffic to trusted IP ranges and subscribe to IBM's System z Security Portal for timely alerts about future security patches.

Generated by OpenCVE AI on May 26, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Ibm aix
Ibm z\/os
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:ibm:http_server:*:*:*:*:*:*:*:*
cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:z\/os:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Ibm aix
Ibm z\/os
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Tue, 26 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description IBM HTTP Server 8.5, and 9.0 contains a buffer overflow vulnerability. A privileged user, authenticated to the Administration Server, could exploit this vulnerability to execute remote code or cause a denial of service.
Title IBM HTTP Server is affected by multiple vulnerabilities
First Time appeared Ibm
Ibm http Server
Weaknesses CWE-122
CPEs cpe:2.3:a:ibm:http_server:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:8.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:9.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm http Server
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ibm Aix Http Server Z\/os
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-28T03:55:40.361Z

Reserved: 2026-05-18T14:08:39.363Z

Link: CVE-2026-8834

cve-icon Vulnrichment

Updated: 2026-05-26T18:32:09.071Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T18:16:56.667

Modified: 2026-06-17T11:04:30.153

Link: CVE-2026-8834

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T20:45:06Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow