CVE-2026-4410
Analyzed Analyzed - Analysis Complete
IBM WebSphere Liberty Denial of Service Vulnerability

Publication date: 2026-05-27

Last updated on: 2026-06-01

Assigner: IBM Corporation

Description
IBM WebSphere Application Server - Liberty 19.0.0.7 through 26.0.0.5 and IBM WebSphere Application Server 9.0, and 8.5 and WebSphere Application Server Liberty are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4410
EUVD
EUVD-2026-32281
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
ibm websphere_application_server From 8.5.0.0 (inc) to 8.5.5.29 (inc)
ibm websphere_application_server From 9.0.0.0 (inc) to 9.0.5.27 (inc)
ibm websphere_application_server From 19.0.0.7 (inc) to 26.0.0.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-4410 is a vulnerability in IBM WebSphere Application Server and WebSphere Application Server Liberty that allows a remote attacker to cause a denial of service by sending a specially crafted request.

This specially crafted request causes the server to consume excessive memory resources, potentially leading to service disruption.

The affected versions include IBM WebSphere Application Server Liberty 19.0.0.7 through 26.0.0.5 with the sipServlet-1.1 feature enabled, as well as IBM WebSphere Application Server versions 9.0 and 8.5.

Impact Analysis

This vulnerability can impact you by causing a denial of service on your IBM WebSphere Application Server or WebSphere Application Server Liberty.

A remote attacker exploiting this vulnerability can send a specially crafted request that forces the server to consume excessive memory resources, potentially leading to server slowdown, unavailability, or crash.

This disruption can affect the availability of applications and services hosted on the affected servers.

Mitigation Strategies

IBM recommends applying interim fixes or fix packs to address the issue.

  • For Liberty, upgrade to fix pack 26.0.0.6 or later (expected in Q2 2026) or apply the interim fix for APAR PH70807.
  • For traditional WebSphere Application Server versions 9.0 and 8.5, apply the interim fix for APAR PH70616 or upgrade to fix packs 9.0.5.28 (Q2 2026) and 8.5.5.30 (Q3 2026), respectively.

No workarounds or mitigations are currently available.

Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.

IBM recommends applying interim fixes or fix packs to address the issue, but no workarounds or mitigations are currently available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4410. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart