Description
IBM HTTP Server 8.5, and 9.0 is vulnerable to invalid pointer dereference. A privileged user, authenticated to the Administration Server, could exploit this vulnerability to expose sensitive information or cause a denial of service.
Published: 2026-05-26
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM HTTP Server 8.5 and 9.0 are vulnerable to an invalid pointer dereference (CWE-822) that can be triggered by a privileged user authenticated to the Administration Server. Exploiting this flaw can expose sensitive information or cause the web server to terminate, resulting in a denial of service.

Affected Systems

Affected versions include IBM HTTP Server 8.5.0 through 8.5.5.29 and 9.0.0 through 9.0.5.28. The fix is available as interim fix PH71265 and in fix packs 8.5.5.30 (or later) and 9.0.5.29 (or later). Customers should apply the interim fix after upgrading to the minimal required fix pack level, or apply a full fix pack of the indicated version or newer.

Risk and Exploitability

The CVSS score of 7.3 indicates a medium severity. No EPSS score is published, and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires local or network access to a system where an attacker can authenticate as a privileged user to the Administration Server. Once authenticated, the attacker can trigger the dereference to read data or crash the server.

Generated by OpenCVE AI on May 26, 2026 at 21:36 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71265.For IBM HTTP Server used by IBM WebSphere Application Server:For V9.0.0.0 through 9.0.5.28:· Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71265--OR--· Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026). For V8.5.0.0 through 8.5.5.29:· Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71265--OR--· Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026). Additional interim fixes may be available and linked off the interim fix download page.Important NoteIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

OpenCVE Recommended Actions

  • Upgrade to the latest IBM HTTP Server fix pack (8.5.5/8.5.5.30 or later, 9.0/9.0.5.29 or later) or apply the interim fix PH71265 immediately.
  • If using a minimal fix pack, first upgrade to the minimal level required for the interim fix and then apply PH71265.
  • Restrict access to the Administration Server to only necessary privileged users and consider network segmentation to limit exposure.

Generated by OpenCVE AI on May 26, 2026 at 21:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Ibm aix
Ibm z\/os
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:ibm:http_server:*:*:*:*:*:*:*:*
cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:z\/os:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Ibm aix
Ibm z\/os
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Tue, 26 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description IBM HTTP Server 8.5, and 9.0 is vulnerable to invalid pointer dereference. A privileged user, authenticated to the Administration Server, could exploit this vulnerability to expose sensitive information or cause a denial of service.
Title IBM HTTP Server is affected by multiple vulnerabilities
First Time appeared Ibm
Ibm http Server
Weaknesses CWE-822
CPEs cpe:2.3:a:ibm:http_server:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:8.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:9.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm http Server
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Subscriptions

Ibm Aix Http Server Z\/os
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-26T18:52:37.441Z

Reserved: 2026-05-18T14:10:22.837Z

Link: CVE-2026-8835

cve-icon Vulnrichment

Updated: 2026-05-26T18:52:25.895Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T18:16:56.803

Modified: 2026-05-26T20:31:32.747

Link: CVE-2026-8835

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T21:45:16Z

Weaknesses
  • CWE-822

    Untrusted Pointer Dereference