{"api_version":"1","generated_at":"2026-07-04T06:14:38+00:00","cve":"CVE-2026-9002","urls":{"html":"https://cve.report/CVE-2026-9002","api":"https://cve.report/api/cve/CVE-2026-9002.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-9002","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-9002"},"summary":{"title":"IBM WebSphere eXtremes Scale is affected by uncontrolled resource consumption when XDF is enabled","description":"IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 could allow an adjacent attacker to cause a denial of service due to improper validation in the XDF decoder. The application processes deeply nested Protocol Buffers messages and attacker-controlled length prefixes without sufficient bounds checking, which may allow an attacker on the same network to trigger a StackOverflowError or OutOfMemoryError, resulting in a crash of the WebSphere Application Server JVM.","state":"PUBLISHED","assigner":"ibm","published_at":"2026-06-30 20:17:32","updated_at":"2026-07-02 19:59:28"},"problem_types":["CWE-400","NVD-CWE-noinfo","CWE-400 CWE-400 Uncontrolled Resource Consumption"],"metrics":[{"version":"3.1","source":"psirt@us.ibm.com","type":"Primary","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"references":[{"url":"https://www.ibm.com/support/pages/node/7278346","name":"https://www.ibm.com/support/pages/node/7278346","refsource":"psirt@us.ibm.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-9002","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-9002","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"IBM","product":"WebSphere Extreme Scale","version":"affected 8.6.1.0 8.6.1.6 semver","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"ProductVersion(s)APARRemediation/First FixIBM WebSphere eXtreme Scale8.6.1.0 - 8.6.1.6PH71946 \n\nFor older versions, upgrade to latest fixpack 8.6.1.6 and then apply the PH71946 iFix. If you are using 8.6.1.6  directly apply the PH71946 iFix.\n\n\n\n Recommended Fixes page for WebSphere eXtreme Scale http://www.ibm.com/support/docview.wss","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"9002","vulnerable":"1","versionEndIncluding":"8.6.1.6","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ibm","cpe5":"websphere_extreme_scale","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"9002","cve":"CVE-2026-9002","epss":"0.002690000","percentile":"0.185220000","score_date":"2026-07-03","updated_at":"2026-07-04 00:02:17"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-9002","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-30T19:30:23.440960Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-30T19:30:30.663Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"cpes":["cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.0:*:*:*:*:*:*:*","cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.6:*:*:*:*:*:*:*"],"product":"WebSphere Extreme Scale","vendor":"IBM","versions":[{"lessThanOrEqual":"8.6.1.6","status":"affected","version":"8.6.1.0","versionType":"semver"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 could allow an adjacent attacker to cause a denial of service due to improper validation in the XDF decoder. The application processes deeply nested Protocol Buffers messages and attacker-controlled length prefixes without sufficient bounds checking, which may allow an attacker on the same network to trigger a StackOverflowError or OutOfMemoryError, resulting in a crash of the WebSphere Application Server JVM.</p>"}],"value":"IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 could allow an adjacent attacker to cause a denial of service due to improper validation in the XDF decoder. The application processes deeply nested Protocol Buffers messages and attacker-controlled length prefixes without sufficient bounds checking, which may allow an attacker on the same network to trigger a StackOverflowError or OutOfMemoryError, resulting in a crash of the WebSphere Application Server JVM."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-400","description":"CWE-400 Uncontrolled Resource Consumption","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-30T19:08:43.309Z","orgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","shortName":"ibm"},"references":[{"tags":["vendor-advisory","patch"],"url":"https://www.ibm.com/support/pages/node/7278346"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div><table><tbody><tr><td>Product</td><td>Version(s)</td><td>APAR</td><td>Remediation/First Fix</td></tr><tr><td>IBM WebSphere eXtreme Scale</td><td>8.6.1.0 - 8.6.1.6</td><td>PH71946 </td><td><p>For older versions, upgrade to latest fixpack 8.6.1.6 and then apply the PH71946 iFix. If you are using 8.6.1.6  directly apply the PH71946 iFix.</p><p><a href=\"http://www.ibm.com/support/docview.wss?uid=swg27018991\" rel=\"nofollow\">Recommended Fixes page for WebSphere eXtreme Scale</a></p></td></tr></tbody></table></div>"}],"value":"ProductVersion(s)APARRemediation/First FixIBM WebSphere eXtreme Scale8.6.1.0 - 8.6.1.6PH71946 \n\nFor older versions, upgrade to latest fixpack 8.6.1.6 and then apply the PH71946 iFix. If you are using 8.6.1.6  directly apply the PH71946 iFix.\n\n\n\n Recommended Fixes page for WebSphere eXtreme Scale http://www.ibm.com/support/docview.wss"}],"title":"IBM WebSphere eXtremes Scale is affected by uncontrolled resource consumption when XDF is enabled","x_generator":{"engine":"ibm-cvegen"}}},"cveMetadata":{"assignerOrgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","assignerShortName":"ibm","cveId":"CVE-2026-9002","datePublished":"2026-06-30T19:08:43.309Z","dateReserved":"2026-05-19T13:37:18.171Z","dateUpdated":"2026-06-30T19:30:30.663Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-30 20:17:32","lastModifiedDate":"2026-07-02 19:59:28","problem_types":["CWE-400","NVD-CWE-noinfo","CWE-400 CWE-400 Uncontrolled Resource Consumption"],"metrics":{"cvssMetricV31":[{"source":"psirt@us.ibm.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-30T19:30:23.440960Z","id":"CVE-2026-9002","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:websphere_extreme_scale:*:*:*:*:*:*:*:*","versionStartIncluding":"8.6.1.0","versionEndIncluding":"8.6.1.6","matchCriteriaId":"80E8BE43-5CF8-4B93-8443-BC6D57872BA6"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"9002","Ordinal":"1","Title":"IBM WebSphere eXtremes Scale is affected by uncontrolled resourc","CVE":"CVE-2026-9002","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"9002","Ordinal":"1","NoteData":"IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 could allow an adjacent attacker to cause a denial of service due to improper validation in the XDF decoder. The application processes deeply nested Protocol Buffers messages and attacker-controlled length prefixes without sufficient bounds checking, which may allow an attacker on the same network to trigger a StackOverflowError or OutOfMemoryError, resulting in a crash of the WebSphere Application Server JVM.","Type":"Description","Title":"IBM WebSphere eXtremes Scale is affected by uncontrolled resourc"}]}}}