Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
IBM i 7.6, 7.5, 7.4, and 7.3 s vulnerable to a denial-of-service attack due to uncontrolled recursion in the Integrated Language Environment (ILE) compiler. An authenticated attacker could exploit this vulnerability by compiling specially crafted source code containing a specific combination of statements.
AnalysisAI
Denial-of-service via uncontrolled recursion in the IBM i Integrated Language Environment (ILE) compiler affects versions 7.3, 7.4, 7.5 (≤12.1.4), and 7.6 (≤11.5.9). An authenticated network attacker can crash or hang the ILE compiler by submitting specially crafted source code containing a specific combination of statements that triggers infinite or deeply nested recursive processing. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low complexity and authenticated-only barrier makes this plausible for insider threat or compromised credential scenarios.
Technical ContextAI
IBM i (formerly AS/400, iSeries) is an integrated operating platform widely used in enterprise and government environments. The Integrated Language Environment (ILE) is the runtime and compilation framework for IBM i languages including RPG, COBOL, C, and CL. CWE-674 (Uncontrolled Recursion) describes a root cause where a program fails to properly limit recursive calls, allowing crafted input to exhaust stack space or processing resources. In this case, the ILE compiler's parsing or semantic analysis phase does not enforce a depth limit when processing a specific combination of source statements, allowing a recursive descent into unbounded call depth and causing availability loss. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) confirms the impact is purely availability, with no confidentiality or integrity loss, and that scope is unchanged (the crash does not break containment into the OS or other jobs). Affected versions per EUVD are IBM i 7.3, 7.4, 7.5 ≤12.1.4, and 7.6 ≤11.5.9.
RemediationAI
Consult the IBM advisory at https://www.ibm.com/support/pages/node/7272908 for the applicable PTFs (Program Temporary Fixes) for each affected IBM i release. Based on EUVD data, IBM i 7.5 is fixed in versions above 12.1.4 and IBM i 7.6 is fixed in versions above 11.5.9; fix version boundaries for 7.3 and 7.4 are not independently confirmed from available data and should be obtained directly from the IBM advisory. If immediate patching is not possible, restrict ILE compiler access to a minimal set of trusted developer accounts using IBM i object-level authorities (*USE authority on compiler objects), preventing untrusted or lower-privilege users from submitting source code for compilation. Additionally, monitoring QHST and job logs for abnormal compiler job terminations or high-CPU compiler jobs can aid early detection. Note that restricting compiler access may impact development and build automation workflows and should be coordinated with application owners.
Same weakness CWE-674 – Uncontrolled Recursion
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32491
GHSA-r635-g5rf-pcvw