CVE-2026-8850
Analyzed Analyzed - Analysis Complete

IBM HTTP Server mod_ibm_upload Denial of Service

Vulnerability report for CVE-2026-8850, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: IBM Corporation

Description

IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_ibm_upload.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-07-06
AI Q&A
2026-05-26
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
ibm http_server From 8.5.0.0 (inc) to 8.5.5.30 (exc)
ibm http_server From 9.0.0.0 (inc) to 9.0.5.29 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability affects the availability of the IBM HTTP Server by allowing a denial of service (DoS) attack through the mod_ibm_upload module. It does not impact confidentiality or integrity of data.

Since the vulnerability only impacts availability and does not compromise data confidentiality or integrity, its direct effect on compliance with standards like GDPR or HIPAAβ€”which primarily focus on protecting personal data privacy and integrityβ€”is limited.

However, availability is also a component of many compliance frameworks, so prolonged denial of service could potentially affect compliance if it disrupts critical services or access to protected data.

Executive Summary

CVE-2026-8850 is a vulnerability in the IBM HTTP Server (versions 8.5 and 9.0) that allows an attacker to cause a denial of service (DoS) via the optional module mod_ibm_upload.

The issue is caused by a NULL pointer dereference, which can cause the server to crash or become unresponsive.

The attack can be performed remotely over the network without requiring any privileges or user interaction.

Impact Analysis

This vulnerability impacts the availability of the IBM HTTP Server by allowing an attacker to cause the server to crash or become unresponsive, resulting in a denial of service.

It does not affect the confidentiality or integrity of the data handled by the server.

Mitigation Strategies

To mitigate the CVE-2026-8850 vulnerability in IBM HTTP Server, IBM recommends applying the interim fix for APAR PH71265.

Alternatively, you can upgrade to Fix Pack 9.0.5.29 or later for version 9.0, or Fix Pack 8.5.5.30 or later for version 8.5.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8850. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart