Description
IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_fastcgi module.
Published: 2026-05-26
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM HTTP Server versions 8.5 and 9.0 are vulnerable to denial of service when the optional mod_fastcgi module is enabled. The flaw allows an attacker to trigger a crash or resource exhaustion by requesting specially crafted content through the module, causing the server to become unavailable to legitimate users. The weakness is identified as CWE-617, indicating a logic flaw that permits resource overconsumption or server crash, leading to availability loss for the affected system.

Affected Systems

The vulnerability affects IBM HTTP Server 8.5 and 9.0, including all associated patch levels that include the optional mod_fastcgi module. Users running these versions should examine whether the module is installed and active, as it is the attack surface for the denial of service condition.

Risk and Exploitability

The CVSS score of 6.2 indicates moderate severity. No EPSS score is available, so the publicly known exploit probability is uncertain, and the vulnerability is not listed in the CISA KEV catalog, implying no known exploited instances as of this analysis. The likely attack vector is remote via HTTP requests directed at the mod_fastcgi module. An attacker could potentially disrupt services without authentication, subjecting the impacted server to unplanned downtime.

Generated by OpenCVE AI on May 26, 2026 at 19:05 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71265.For IBM HTTP Server used by IBM WebSphere Application Server:For V9.0.0.0 through 9.0.5.28:· Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71265--OR--· Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026). For V8.5.0.0 through 8.5.5.29:· Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71265--OR--· Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026). Additional interim fixes may be available and linked off the interim fix download page.Important NoteIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

OpenCVE Recommended Actions

  • Apply the IBM interim fix PH71265 or a subsequent fix pack that includes the resolution for the mod_fastcgi module.
  • For WebSphere customers, install the minimum required fix pack level and then apply the interim fix, or alternatively install Fix Pack 9.0.5.29 or later for V9 and Fix Pack 8.5.5.30 or later for V8.5.
  • These steps ensure the denial of service condition is mitigated.
  • For IBM System z users, subscribe to the System z Security Portal to receive timely security alerts and updates.

Generated by OpenCVE AI on May 26, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Ibm aix
Ibm z\/os
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:ibm:http_server:*:*:*:*:*:*:*:*
cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:z\/os:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Ibm aix
Ibm z\/os
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Tue, 26 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_fastcgi module.
Title IBM HTTP Server is affected by multiple vulnerabilities
First Time appeared Ibm
Ibm http Server
Weaknesses CWE-617
CPEs cpe:2.3:a:ibm:http_server:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:8.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:9.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm http Server
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Ibm Aix Http Server Z\/os
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-26T17:36:19.686Z

Reserved: 2026-05-18T16:13:22.116Z

Link: CVE-2026-8852

cve-icon Vulnrichment

Updated: 2026-05-26T17:36:15.597Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T17:16:55.770

Modified: 2026-05-26T20:50:11.357

Link: CVE-2026-8852

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T21:30:16Z

Weaknesses