CVE-2026-9002
Received Received - Intake

IBM WebSphere Extreme Scale DoS via XDF Decoder

Vulnerability report for CVE-2026-9002, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: IBM Corporation

Description

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 could allow an adjacent attacker to cause a denial of service due to improper validation in the XDF decoder. The application processes deeply nested Protocol Buffers messages and attacker-controlled length prefixes without sufficient bounds checking, which may allow an attacker on the same network to trigger a StackOverflowError or OutOfMemoryError, resulting in a crash of the WebSphere Application Server JVM.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ibm websphere_extreme_scale From 8.6.1.0 (inc) to 8.6.1.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition by crashing the WebSphere Application Server JVM. An attacker on the same network can exploit this flaw to cause uncontrolled resource consumption, resulting in the application server becoming unavailable. The impact is high on availability, although it does not affect confidentiality or integrity.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade IBM WebSphere eXtremes Scale to version 8.6.1.6 if you are running an affected version between 8.6.1.0 and 8.6.1.6.

Additionally, apply the IBM APAR PH71946 iFix to address the issue.

Currently, no workarounds are available for this vulnerability.

Executive Summary

IBM WebSphere Extreme Scale versions 8.6.1.0 through 8.6.1.6 have a vulnerability in the XDF decoder caused by improper validation. This flaw allows an adjacent attacker on the same network to send deeply nested Protocol Buffers messages with attacker-controlled length prefixes. Due to insufficient bounds checking, this can trigger errors such as StackOverflowError or OutOfMemoryError, which crash the WebSphere Application Server JVM.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9002. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart