Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_ibm_upload.
AnalysisAI
Denial of service in IBM HTTP Server 8.5 and 9.0 allows remote unauthenticated attackers to crash the web server when the optional mod_ibm_upload module is loaded, triggering a null pointer dereference (CWE-476). No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02% (4th percentile), though SSVC flags the issue as automatable with partial technical impact. Affected deployments include HTTP Server 8.5 up to Interim Fix 002 and HTTP Server 9.0, with a vendor patch available via IBM support note 7274065.
Technical ContextAI
IBM HTTP Server is IBM's distribution of the Apache HTTP Server, bundled with WebSphere Application Server and used as a front-end web tier for J2EE applications. The vulnerable component is mod_ibm_upload, an optional IBM-specific Apache module that handles file upload processing - it is not loaded by default in stock Apache installs. The root cause is a CWE-476 null pointer dereference: a code path in the module dereferences a pointer that can be NULL when handling certain request inputs, causing the worker process to crash. Affected CPE is cpe:2.3:a:ibm:http_server:*:*:*:*:*:*:*:*, covering the 8.5.x line through Interim Fix 002 and the 9.0 branch.
RemediationAI
Patch available per vendor advisory: apply the fix published in IBM support note https://www.ibm.com/support/pages/node/7274065, which supersedes Interim Fix 002 on the 8.5 branch and provides a fixed level for the 9.0 branch. If patching cannot occur immediately, the most direct compensating control is to unload mod_ibm_upload by removing or commenting out its LoadModule directive in httpd.conf and restarting the server - this fully eliminates the vulnerable code path, with the trade-off that any application relying on mod_ibm_upload for HTTP file upload handling will break and must be migrated to an alternative upload mechanism. As a secondary control, place a reverse proxy or WAF in front of IBM HTTP Server to block or rate-limit upload requests to endpoints that route through the module, accepting the cost of additional latency and a more complex request path. Confirm fix application by checking the installed iFix level against IBM's advisory.
More in Http Server
View allApache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for
Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denia
The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directiv
mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for
The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from t
The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which al
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party mod
In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured c
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when se
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construct
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31894
GHSA-f24c-2c3h-f7jx