IBM WebSphere eXtremes Scale is affected by uncontrolled resource consumption when XDF is enabled
Summary
| CVE | CVE-2026-9002 |
|---|---|
| State | PUBLISHED |
| Assigner | ibm |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-30 20:17:32 UTC |
| Updated | 2026-07-02 19:59:28 UTC |
| Description | IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 could allow an adjacent attacker to cause a denial of service due to improper validation in the XDF decoder. The application processes deeply nested Protocol Buffers messages and attacker-controlled length prefixes without sufficient bounds checking, which may allow an attacker on the same network to trigger a StackOverflowError or OutOfMemoryError, resulting in a crash of the WebSphere Application Server JVM. |
Risk And Classification
Primary CVSS: v3.1 6.5 MEDIUM from [email protected]
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS: 0.002690000 probability, percentile 0.185220000 (date 2026-07-03)
Problem Types: CWE-400 | NVD-CWE-noinfo | CWE-400 CWE-400 Uncontrolled Resource Consumption
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | CVSS | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
Attack Vector
AdjacentAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Ibm | Websphere Extreme Scale | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | IBM | WebSphere Extreme Scale | affected 8.6.1.0 8.6.1.6 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.ibm.com/support/pages/node/7278346 | [email protected] | www.ibm.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
Solutions
CNA: ProductVersion(s)APARRemediation/First FixIBM WebSphere eXtreme Scale8.6.1.0 - 8.6.1.6PH71946 For older versions, upgrade to latest fixpack 8.6.1.6 and then apply the PH71946 iFix. If you are using 8.6.1.6 directly apply the PH71946 iFix. Recommended Fixes page for WebSphere eXtreme Scale http://www.ibm.com/support/docview.wss
There are currently no legacy QID mappings associated with this CVE.