Severity by source
AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
IBM WebSphere Application Server - Liberty 19.0.0.7 through 26.0.0.5 and IBM WebSphere Application Server 9.0, and 8.5 and WebSphere Application Server Liberty are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources.
AnalysisAI
Memory exhaustion in IBM WebSphere Application Server (Liberty 19.0.0.7-26.0.0.5, traditional WAS 8.5 and 9.0) allows an adjacent-network, low-privileged attacker to trigger uncontrolled memory consumption by sending a specially crafted request. The attack requires both network adjacency and high complexity conditions, constraining the realistic threat surface significantly compared to the High availability impact rating. No public exploit code exists and CISA SSVC rates exploitation as 'none' with technical impact classified as 'partial', placing this vulnerability in a lower operational priority tier despite the A:H component impact.
Technical ContextAI
The vulnerability is rooted in CWE-400 (Uncontrolled Resource Consumption), a class of flaw where the application fails to impose adequate limits on memory allocation triggered by attacker-controlled input. IBM WebSphere Application Server Liberty is the lightweight, OSGi-based Java EE/Jakarta EE runtime, while traditional WAS 8.5 and 9.0 are the full-profile enterprise application servers. The CVSS vector AV:A (Adjacent Network) indicates the attack surface is constrained to the local network segment or broadcast domain - typical for internal middleware deployments. The AC:H (High Complexity) component indicates that specific conditions beyond simple network access must be met, likely relating to request parsing internals or a particular protocol handler within the Liberty or WAS runtime. The scope is unchanged (S:U), and impacts are strictly limited to availability (C:N/I:N/A:H), consistent with a resource exhaustion DoS class.
RemediationAI
IBM has published an advisory at https://www.ibm.com/support/pages/node/7273424 addressing this vulnerability; apply the IBM-recommended fixes or interim fixes detailed there. No specific patched release version number was included in the source data provided for this analysis, so the exact target upgrade version must be confirmed directly from the IBM advisory. For organizations unable to patch immediately, compensating controls should include restricting network-level access to WAS and Liberty endpoints to authorized adjacent-network segments only (consistent with AV:A attack vector), enforcing authentication at the perimeter so unauthenticated traffic never reaches the application server, and configuring JVM memory limits and OS-level resource controls (e.g., cgroups, JVM -Xmx flags) to cap per-process memory growth - accepting the trade-off that tight memory caps may also impact legitimate high-load scenarios. Monitor server memory utilization and set alerting thresholds to detect exploitation attempts early.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32281
GHSA-crfv-r2fv-7458