CVE-2026-8852 - Vulnerability Details - OpenCVE

IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_fastcgi module.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Http Server

No data.

No data.

No data.

References

Link	Providers
https://www.ibm.com/support/pages/node/7274065

History

Tue, 26 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_fastcgi module.
Title		IBM HTTP Server is affected by multiple vulnerabilities
First Time appeared		Ibm Ibm http Server
Weaknesses		CWE-617
CPEs		cpe:2.3:a:ibm:http_server:8.5.0:::::::* cpe:2.3:a:ibm:http_server:8.5:::::::* cpe:2.3:a:ibm:http_server:9.0.0:::::::* cpe:2.3:a:ibm:http_server:9.0:::::::*
Vendors & Products		Ibm Ibm http Server
References		https://www.ibm.com/support/pages/node/7274065
Metrics		cvssV3_1 `{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-05-26T16:56:07.145Z

Updated: 2026-05-26T17:36:19.686Z

Reserved: 2026-05-18T16:13:22.116Z

Link: CVE-2026-8852

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-26T17:16:55.770

Modified: 2026-05-26T17:16:55.770

Link: CVE-2026-8852

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-8852", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2026-05-18T16:13:22.116Z", "datePublished": "2026-05-26T16:56:07.145Z", "dateUpdated": "2026-05-26T17:36:19.686Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-05-26T16:56:07.145Z"}, "title": "IBM HTTP Server is affected by multiple vulnerabilities", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-617", "description": "CWE-617 Reachable Assertion", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "HTTP Server", "versions": [{"status": "affected", "version": "8.5.0", "lessThanOrEqual": "Interim Fix 002", "versionType": "semver"}, {"status": "affected", "version": "9.0", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:http_server:8.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:http_server:8.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:http_server:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:http_server:9.0.0:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_fastcgi module.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_fastcgi module.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7274065", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}], "solutions": [{"lang": "en", "value": "IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71265.For IBM HTTP Server used by IBM WebSphere Application Server:For V9.0.0.0 through 9.0.5.28:\u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71265--OR--\u00b7 Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026).\u00a0For V8.5.0.0 through 8.5.5.29:\u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH71265--OR--\u00b7 Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026).\u00a0Additional interim fixes may be available and linked off the interim fix download page.Important NoteIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH71265.</p><p><strong>For IBM HTTP Server used by IBM WebSphere Application Server:</strong></p><p><strong>For V9.0.0.0 through 9.0.5.28:</strong><br>\u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves <a href=\"https://www.ibm.com/support/pages/node/7239806\" rel=\"nofollow\">PH71265</a><br>--OR--<br>\u00b7 Apply Fix Pack 9.0.5.29 or later (targeted availability 3Q2026). </p><p><strong>For V8.5.0.0 through 8.5.5.29:</strong><br>\u00b7 Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves <a href=\"https://www.ibm.com/support/pages/node/7239806\" rel=\"nofollow\">PH71265</a><br>--OR--<br>\u00b7 Apply Fix Pack 8.5.5.30 or later (targeted availability 3Q2026).</p><p> Additional interim fixes may be available and linked off the interim fix download page.</p><p>Important Note</p><p>IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.</p>"}]}], "x_generator": {"engine": "ibm-cvegen"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-26T17:36:13.000216Z", "id": "CVE-2026-8852", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-26T17:36:19.686Z"}}]}}