Skip to main content

IBM i CVE-2026-6936

| EUVDEUVD-2026-32491 MEDIUM
Uncontrolled Recursion (CWE-674)
2026-05-27 psirt@us.ibm.com GHSA-r635-g5rf-pcvw
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:19 vuln.today

DescriptionCVE.org

IBM i 7.6, 7.5, 7.4, and 7.3 s vulnerable to a denial-of-service attack due to uncontrolled recursion in the Integrated Language Environment (ILE) compiler. An authenticated attacker could exploit this vulnerability by compiling specially crafted source code containing a specific combination of statements.

AnalysisAI

Denial-of-service via uncontrolled recursion in the IBM i Integrated Language Environment (ILE) compiler affects versions 7.3, 7.4, 7.5 (≤12.1.4), and 7.6 (≤11.5.9). An authenticated network attacker can crash or hang the ILE compiler by submitting specially crafted source code containing a specific combination of statements that triggers infinite or deeply nested recursive processing. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low complexity and authenticated-only barrier makes this plausible for insider threat or compromised credential scenarios.

Technical ContextAI

IBM i (formerly AS/400, iSeries) is an integrated operating platform widely used in enterprise and government environments. The Integrated Language Environment (ILE) is the runtime and compilation framework for IBM i languages including RPG, COBOL, C, and CL. CWE-674 (Uncontrolled Recursion) describes a root cause where a program fails to properly limit recursive calls, allowing crafted input to exhaust stack space or processing resources. In this case, the ILE compiler's parsing or semantic analysis phase does not enforce a depth limit when processing a specific combination of source statements, allowing a recursive descent into unbounded call depth and causing availability loss. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) confirms the impact is purely availability, with no confidentiality or integrity loss, and that scope is unchanged (the crash does not break containment into the OS or other jobs). Affected versions per EUVD are IBM i 7.3, 7.4, 7.5 ≤12.1.4, and 7.6 ≤11.5.9.

RemediationAI

Consult the IBM advisory at https://www.ibm.com/support/pages/node/7272908 for the applicable PTFs (Program Temporary Fixes) for each affected IBM i release. Based on EUVD data, IBM i 7.5 is fixed in versions above 12.1.4 and IBM i 7.6 is fixed in versions above 11.5.9; fix version boundaries for 7.3 and 7.4 are not independently confirmed from available data and should be obtained directly from the IBM advisory. If immediate patching is not possible, restrict ILE compiler access to a minimal set of trusted developer accounts using IBM i object-level authorities (*USE authority on compiler objects), preventing untrusted or lower-privilege users from submitting source code for compilation. Additionally, monitoring QHST and job logs for abnormal compiler job terminations or high-CPU compiler jobs can aid early detection. Note that restricting compiler access may impact development and build automation workflows and should be coordinated with application owners.

Share

CVE-2026-6936 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy