Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a potential denial of service in the asperahttpd component. An unauthenticated user can cause the asperahttpd service to crash.
AnalysisAI
Remote denial of service in IBM Aspera High-Speed Transfer Endpoint and High-Speed Transfer Server (versions 3.7.4 through 4.4.7 Fix Pack 1) allows an unauthenticated network attacker to crash the asperahttpd service via a NULL pointer dereference. Exploitation requires no credentials and no user interaction, yielding a complete loss of availability for the affected transfer service. There is no public exploit identified at time of analysis, and the issue has no confidentiality or integrity impact.
Technical ContextAI
IBM Aspera is a high-speed managed file transfer suite built on the FASP protocol; the affected piece is asperahttpd, the embedded HTTP daemon that fronts the High-Speed Transfer Server/Endpoint (typically used for HTTP/HTTPS fallback and web-based transfer setup). The root cause is classified as CWE-476 (NULL Pointer Dereference), meaning the daemon dereferences a pointer that was never initialized or had been set to NULL - most plausibly while parsing an attacker-supplied request - causing the process to fault and terminate. Because asperahttpd is a network-facing listener, the defect is reachable directly over the network without any authenticated session. No CPE strings were supplied in the input; affected product identification therefore relies on the NVD/EUVD version ranges rather than machine-readable CPE entries.
RemediationAI
Apply the fix described in the IBM advisory at https://www.ibm.com/support/pages/node/7273615; the provided data does not include an exact fixed version number, so administrators should consult that advisory for the specific Fix Pack/release that supersedes 4.4.7 Fix Pack 1 and verify it before deploying. Until patched, reduce exposure of the asperahttpd HTTP listener: restrict access to the asperahttpd port to trusted source networks via firewall or ACLs, place the service behind a reverse proxy or VPN, and disable the HTTP/HTTPS fallback transfer path if it is not required in your deployment (trade-off: clients that rely on HTTP fallback or web-based transfer setup will lose that capability and may fail behind restrictive firewalls). Because the impact is a crash, also configure service auto-restart/monitoring so the daemon recovers quickly, while recognizing this does not prevent repeated re-triggering by an attacker.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32499
GHSA-fqw5-w9px-94f7