Skip to main content

IBM HTTP Server CVE-2026-8850

| EUVDEUVD-2026-31894 HIGH
NULL Pointer Dereference (CWE-476)
2026-05-26 ibm GHSA-f24c-2c3h-f7jx
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 09:55 vuln.today

DescriptionCVE.org

IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_ibm_upload.

AnalysisAI

Denial of service in IBM HTTP Server 8.5 and 9.0 allows remote unauthenticated attackers to crash the web server when the optional mod_ibm_upload module is loaded, triggering a null pointer dereference (CWE-476). No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02% (4th percentile), though SSVC flags the issue as automatable with partial technical impact. Affected deployments include HTTP Server 8.5 up to Interim Fix 002 and HTTP Server 9.0, with a vendor patch available via IBM support note 7274065.

Technical ContextAI

IBM HTTP Server is IBM's distribution of the Apache HTTP Server, bundled with WebSphere Application Server and used as a front-end web tier for J2EE applications. The vulnerable component is mod_ibm_upload, an optional IBM-specific Apache module that handles file upload processing - it is not loaded by default in stock Apache installs. The root cause is a CWE-476 null pointer dereference: a code path in the module dereferences a pointer that can be NULL when handling certain request inputs, causing the worker process to crash. Affected CPE is cpe:2.3:a:ibm:http_server:*:*:*:*:*:*:*:*, covering the 8.5.x line through Interim Fix 002 and the 9.0 branch.

RemediationAI

Patch available per vendor advisory: apply the fix published in IBM support note https://www.ibm.com/support/pages/node/7274065, which supersedes Interim Fix 002 on the 8.5 branch and provides a fixed level for the 9.0 branch. If patching cannot occur immediately, the most direct compensating control is to unload mod_ibm_upload by removing or commenting out its LoadModule directive in httpd.conf and restarting the server - this fully eliminates the vulnerable code path, with the trade-off that any application relying on mod_ibm_upload for HTTP file upload handling will break and must be migrated to an alternative upload mechanism. As a secondary control, place a reverse proxy or WAF in front of IBM HTTP Server to block or rate-limit upload requests to endpoints that route through the module, accepting the cost of additional latency and a more complex request path. Confirm fix application by checking the installed iFix level against IBM's advisory.

CVE-2017-9798 HIGH POC
7.5 Sep 18

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user

CVE-2013-2566 MEDIUM POC
5.9 Mar 15

The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for

CVE-2014-0226 MEDIUM POC
6.8 Jul 20

Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denia

CVE-2016-8740 HIGH POC
7.5 Dec 05

The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2

CVE-2013-5704 MEDIUM POC
5.0 Apr 15

The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directiv

CVE-2013-2249 HIGH POC
7.5 Jul 23

mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for

CVE-2016-5387 HIGH
8.1 Jul 19

The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from t

CVE-2017-7668 HIGH
7.5 Jun 20

The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which al

CVE-2017-3169 CRITICAL POC
9.8 Jun 20

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party mod

CVE-2016-0736 HIGH POC
7.5 Jul 27

In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured c

CVE-2017-7679 CRITICAL POC
9.8 Jun 20

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when se

CVE-2012-0053 MEDIUM POC
4.3 Jan 28

protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construct

Share

CVE-2026-8850 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy