Description
IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_mem_cache.
Published: 2026-05-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM HTTP Server 8.5 and 9.0 can be forced into a denial‑of‑service state when the optional mod_mem_cache module is loaded. The flaw allows an attacker to exhaust system resources via crafted HTTP requests that engage the cache, leading to service unavailability. This weakness is classified as CWE‑825, an example of resource exhaustion that undermines availability.

Affected Systems

The vulnerability affects IBM HTTP Server 8.5 and 9.0 products, from the initial release up through 8.5.5.29 and 9.0.5.28. All builds that include the mod_mem_cache module are susceptible unless the module is disabled or the system is updated to a level that contains the fix.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity DoS risk, yet the EPSS score is not available, suggesting a lower current exploitation probability. Attackers can trigger the DoS by sending specially crafted requests to a server that has mod_mem_cache enabled; however, no specific remote exploitation method is documented. The vulnerability is not listed in the CISA KEV catalog, so no publicly known active exploitation is currently reported.

Generated by OpenCVE AI on May 26, 2026 at 20:07 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71265.For IBM HTTP Server used by IBM WebSphere Application Server:For V9.0.0.0 through 9.0.5.28:· Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71265--OR--· Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026). For V8.5.0.0 through 8.5.5.29:· Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71265--OR--· Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026). Additional interim fixes may be available and linked off the interim fix download page.Important NoteIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

OpenCVE Recommended Actions

  • Apply the latest IBM fix pack—8.5.5.30 or later for version 8.5, and 9.0.5.29 or later for version 9.0—or an interim fix that resolves APAR PH71265.
  • If a fix cannot be applied immediately, disable the mod_mem_cache module or remove it from the server configuration to eliminate the DoS path.
  • Subscribe to the System z Security Portal to receive timely security updates and monitor for any new advisories or patches related to this vulnerability.

Generated by OpenCVE AI on May 26, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Ibm aix
Ibm z\/os
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:ibm:http_server:*:*:*:*:*:*:*:*
cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:z\/os:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Ibm aix
Ibm z\/os
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Tue, 26 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_mem_cache.
Title IBM HTTP Server is affected by multiple vulnerabilities
First Time appeared Ibm
Ibm http Server
Weaknesses CWE-825
CPEs cpe:2.3:a:ibm:http_server:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:8.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:9.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm http Server
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Ibm Aix Http Server Z\/os
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-26T18:34:16.176Z

Reserved: 2026-05-18T16:15:08.013Z

Link: CVE-2026-8854

cve-icon Vulnrichment

Updated: 2026-05-26T18:33:53.411Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T18:16:57.013

Modified: 2026-05-26T20:27:32.703

Link: CVE-2026-8854

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T20:15:15Z

Weaknesses
  • CWE-825

    Expired Pointer Dereference