IBM HTTP Server Multiple Vulnerabilities Advisory (RCE/DoS)

Vulnerability Overview IBM HTTP Server contains multiple vulnerabilities, specifically including: 1. CVE-2026-8850 - Description: IBM HTTP Server is vulnerable to denial of service via the optional module mod_ibm_upload. - CWE: CWE-476: NULL Pointer Dereference - CVSS Base Score: 7.5 2. CVE-2026-8855 - Description: IBM HTTP Server is vulnerable to remote code execution and denial of service when configured for TLS mutual authentication (client authentication). - CWE: CWE-94: Improper Control of Generation of Code ('Code Injection') - CVSS Base Score: 8.1 3. CVE-2026-8835 - Description: IBM HTTP Server is vulnerable to an invalid pointer dereference attack. An authenticated administrative server user could exploit this vulnerability to expose sensitive information or cause a denial of service. - CWE: CWE-822: Untrusted Pointer Dereference - CVSS Base Score: 7.3 4. CVE-2026-8834 - Description: IBM HTTP Server contains a buffer overflow vulnerability. An authenticated administrative server user could exploit this vulnerability to execute remote code or cause a denial of service. - CWE: CWE-122: Heap-based Buffer Overflow - CVSS Base Score: 8 5. CVE-2026-8856 - Description: IBM HTTP Server is vulnerable to denial of service when an attacker has access to parts of the server configuration. - CWE: CWE-400: Uncontrolled Resource Consumption - CVSS Base Score: 7.7 6. CVE-2026-45186 - Description: In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows denial of service via medium-sized crafted XML input. - CWE: CWE-407: Inefficient Algorithmic Complexity - CVSS Base Score: 7.5 7. CVE-2026-8852 - Description: IBM HTTP Server is vulnerable to denial of service via the optional module mod_fastcgi. - CWE: CWE-617: Reachable Assertion - CVSS Base Score: 6.2 8. CVE-2026-8854 - Description: IBM HTTP Server is vulnerable to denial of service via the optional module mod_mem_cache. - CWE: CWE-825: Expired Pointer Dereference - CVSS Base Score: 7.5 9. CVE-2026-9170 - Description: IBM HTTP Server is vulnerable to denial of service and potential remote code execution due to improper input validation. - CWE: CWE-94: Improper Control of Generation of Code ('Code Injection') - CVSS Base Score: 9.8 Affected Scope Affected Product: IBM HTTP Server Affected Versions: - IBM HTTP Server 8.5 - IBM HTTP Server 9.0 Remediation IBM strongly recommends addressing the vulnerabilities immediately by applying the currently available interim fix or the fix pack containing the fix, which is APAR PH71265. For IBM HTTP Server 9.0.0.0 to 9.0.5.28: - Upgrade to the minimum fix pack level, then apply the interim fix resolving PH71265. - Alternatively, apply Fix Pack 9.0.5.29 or later (target availability Q3 2026). For IBM HTTP Server 8.5.0.0 to 8.5.5.29: - Upgrade to the minimum fix pack level, then apply the interim fix resolving PH71265. - Alternatively, apply Fix Pack 8.5.5.30 or later (target availability Q3 2026). Important Notes IBM strongly recommends that all System z clients subscribe to the System z Security Portal to receive the latest System z security and integrity services. If not subscribed, please refer to the instructions on the System z Security website. Security and integrity APARs and associated fixes will be published to this portal. IBM recommends reviewing CVSS scores and applying all security or integrity fixes as soon as possible to minimize potential risks. Workarounds and Mitigations None Getting Notifications for Future Security Bulletins Subscribe to My Notifications to receive notifications for important product support alerts. References Complete CVSS v3 Guide Online Calculator v3 Related Information IBM Security Engineering Web Portal IBM Product Security Incident Response Blog Acknowledgements None Change History May 26, 2026: Initial publication Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard" designed to convey vulnerability severity and help determine the urgency and priority of response. IBM provides CVSS scores "as is" without warranty of any kind, expressed or implied, including without limitation the implied warranties of merchantability and fitness for a particular purpose. Customers are responsible for assessing the impact of any actual or potential security vulnerabilities. Additionally, IBM periodically updates the records of components in its product portfolio. As part of that effort, IBM identifies vulnerabilities in product/service inventories that were previously unidentified. The inclusion of older CVE dates does not indicate that the referenced product has been used by IBM since that date, nor that IBM was aware of the vulnerability at that time. We strive to inform customers of relevant vulnerabilities as we become aware of them. IBM security bulletins that reference "affected products and versions" refer only to supported and non-expired products an

Goal Reached Thanks to every supporter — we hit 100%!

IBM HTTP Server Multiple Vulnerabilities Advisory (RCE/DoS)

More from this source