Severity by source
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
IBM HTTP Server 8.5, and 9.0 is vulnerable to invalid pointer dereference. A privileged user, authenticated to the Administration Server, could exploit this vulnerability to expose sensitive information or cause a denial of service.
AnalysisAI
Invalid pointer dereference in IBM HTTP Server 8.5 and 9.0 allows an authenticated privileged user on the Administration Server to expose sensitive information or trigger a denial-of-service condition. The flaw requires adjacent network access and existing low-level privileges, and no public exploit identified at time of analysis. EPSS exploitation probability is negligible (0.01%) and CISA SSVC indicates no observed exploitation.
Technical ContextAI
IBM HTTP Server is IBM's commercially supported HTTP server distribution based on the Apache HTTP Server codebase, frequently bundled with WebSphere Application Server for hosting web content and proxying requests to backend J2EE applications. The Administration Server is a separate management daemon used to remotely administer the HTTP Server instance. The root cause is classified as CWE-822 (Untrusted Pointer Dereference), where the program dereferences a pointer whose value is influenced by untrusted input, leading to memory access at an invalid or attacker-influenced address - typically resulting in a process crash (DoS) or, in the disclosure case here, reading memory contents that the process should not return to the caller. The affected CPE is cpe:2.3:a:ibm:http_server, covering both the 8.5 and 9.0 product lines.
RemediationAI
Patch available per vendor advisory - apply the fix described in IBM Support note https://www.ibm.com/support/pages/node/7274065, which provides the corrective interim fix for 8.5 and the patched 9.0 build (consult the advisory for the exact iFix identifier applicable to your release). As compensating controls until the fix is deployed, restrict network reachability of the IBM HTTP Server Administration Server to a dedicated management VLAN or jump host (the AV:A vector means non-adjacent attackers cannot reach it), enforce strong authentication and rotate Administration Server credentials to reduce the chance that the required PR:L privilege is held by a compromised account, and audit who currently holds Administration Server access - the trade-off of tightening admin network exposure is reduced operational convenience for remote administrators, which is acceptable for a management plane.
More in Http Server
View allApache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for
Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denia
The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directiv
mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for
The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from t
The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which al
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party mod
In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured c
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when se
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construct
Same weakness CWE-822 – Untrusted Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31918
GHSA-2c97-gp89-gf5p