Description
IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_ibm_upload.
Published: 2026-05-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM HTTP Server 8.5 and 9.0 contain an optional module, mod_ibm_upload, that can be compromised to cause a server process crash. The vulnerability originates from improper handling of input within this module; when exploited a legitimate process terminates, leading to unavailable web services and potential repeated downtime. The weakness aligns with CWE‑476, which denotes a null pointer dereference that can be triggered by unexpected input.

Affected Systems

IBM HTTP Server 8.5.x (versions 8.5.0.0 through 8.5.5.29) and 9.0.x (versions 9.0.0.0 through 9.0.5.28) that include the optional mod_ibm_upload module are affected. The vulnerability applies to installations that have not applied the interim fix PH71265 or the subsequent fix packs 8.5.5.30+ for 8.5 series and 9.0.5.29+ for 9.0 series.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity for this denial of service issue. EPSS data is not available, so the probability of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalogue. Based on the description, it is inferred that the exploit is triggered through an HTTP request directed at the optional module, meaning remote network access to the affected port is required. An attacker capable of sending such requests could repeatedly crash the server, leading to significant availability disruption until the patch is applied.

Generated by OpenCVE AI on May 26, 2026 at 19:44 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71265. For IBM HTTP Server used by IBM WebSphere Application Server: For V9.0.0.0 through 9.0.5.28: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71265 https://www.ibm.com/support/pages/node/7239806 --OR-- · Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026).  For V8.5.0.0 through 8.5.5.29: · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71265 https://www.ibm.com/support/pages/node/7239806 --OR-- · Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026).  Additional interim fixes may be available and linked off the interim fix download page. Important Note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

OpenCVE Recommended Actions

  • Apply the interim fix PH71265 immediately to the IBM HTTP Server running on WebSphere Application Server.
  • After installing the interim fix, update the server with the latest available fix pack for the specific major version (9.0.5.29 or later for 9.0.x releases, and 8.5.5.30 or later for 8.5.x releases).
  • If the optional mod_ibm_upload module is not required for your deployment, remove or disable it to eliminate the attack surface.

Generated by OpenCVE AI on May 26, 2026 at 19:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Ibm aix
Ibm z\/os
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:ibm:http_server:*:*:*:*:*:*:*:*
cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:z\/os:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Ibm aix
Ibm z\/os
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Tue, 26 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_ibm_upload.
Title IBM HTTP Server is affected by multiple vulnerabilities
First Time appeared Ibm
Ibm http Server
Weaknesses CWE-476
CPEs cpe:2.3:a:ibm:http_server:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:8.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:9.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm http Server
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Ibm Aix Http Server Z\/os
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-26T18:40:16.281Z

Reserved: 2026-05-18T15:58:16.692Z

Link: CVE-2026-8850

cve-icon Vulnrichment

Updated: 2026-05-26T18:40:10.596Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T17:16:55.640

Modified: 2026-05-26T20:50:36.120

Link: CVE-2026-8850

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T19:45:06Z

Weaknesses