CVE Catalog

CVE-2026-9002

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

19th percentile — higher than 19% of all known CVEs

Summary

IBM WebSphere Extreme Scale versions 8.6.1.0 through 8.6.1.6 contain a denial-of-service vulnerability due to improper validation in the XDF decoder. The application processes deeply nested Protocol Buffers messages and attacker-controlled length prefixes without sufficient bounds checking, which may lead to a StackOverflowError or OutOfMemoryError.

Risk Assessment

An adjacent attacker on the same network can crash the WebSphere Application Server JVM, causing service disruption and potential loss of application availability.

Recommendation

Immediately upgrade IBM WebSphere Extreme Scale to version 8.6.1.7 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 could allow an adjacent attacker to cause a denial of service due to improper validation in the XDF decoder. The application processes deeply nested Protocol Buffers messages and attacker-controlled length prefixes without sufficient bounds checking, which may allow an attacker on the same network to trigger a StackOverflowError or OutOfMemoryError, resulting in a crash of the WebSphere Application Server JVM.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS