Description
IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service in configurations where an attacker has write access to parts of the server configuration.
Published: 2026-05-26
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in IBM HTTP Server versions 8.5 and 9.0 allows a denial of service when an attacker can write to parts of the server configuration. The vulnerability is a resource exhaustion attack that nondestructively halts or slows service, degrading availability. The weakness corresponds to inadequate resource management (CWE-400).

Affected Systems

IBM HTTP Server 8.5.x and 9.0.x are affected as noted by the CNA vendor and product listings. The short‑form CPEs indicate all minor releases within those major versions are vulnerable unless mitigated by a fix pack or interim patch.

Risk and Exploitability

The CVSS score of 7.7 reflects a high severity denial‑of‑service condition with medium complexity. No EPSS score is available, so current exploitation probability is uncertain. The vulnerability is not listed in the CISA KEV catalog, implying no confirmed active exploitation. Based on the description, the likely attack vector requires write access to the server configuration, suggesting the threat may arise from privileged users, compromised credentials, or local exploitation on a co‑located system.

Generated by OpenCVE AI on May 26, 2026 at 19:43 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71265.For IBM HTTP Server used by IBM WebSphere Application Server:For V9.0.0.0 through 9.0.5.28:· Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71265--OR--· Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026). For V8.5.0.0 through 8.5.5.29:· Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71265--OR--· Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026). Additional interim fixes may be available and linked off the interim fix download page.Important NoteIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

OpenCVE Recommended Actions

  • Apply the IBM interim fix PH71265 or install the latest applicable fix pack (9.0.5.29 or later for v9.0, 8.5.5.30 or later for v8.5).
  • Restrict write permissions to the HTTP Server configuration directories so that only authorized accounts can modify them.
  • Continuously monitor configuration file integrity and audit logs for unauthorized changes, and subscribe to IBM System z security updates to receive further patches if necessary.

Generated by OpenCVE AI on May 26, 2026 at 19:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Ibm aix
Ibm z\/os
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:ibm:http_server:*:*:*:*:*:*:*:*
cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:z\/os:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Ibm aix
Ibm z\/os
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Tue, 26 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service in configurations where an attacker has write access to parts of the server configuration.
Title IBM HTTP Server is affected by multiple vulnerabilities
First Time appeared Ibm
Ibm http Server
Weaknesses CWE-400
CPEs cpe:2.3:a:ibm:http_server:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:8.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:http_server:9.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm http Server
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Ibm Aix Http Server Z\/os
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-27T13:09:04.083Z

Reserved: 2026-05-18T16:50:49.167Z

Link: CVE-2026-8856

cve-icon Vulnrichment

Updated: 2026-05-27T12:47:38.589Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T18:16:57.300

Modified: 2026-05-26T20:22:17.840

Link: CVE-2026-8856

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T20:15:14Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption