Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_fastcgi module.
AnalysisAI
Denial of service in IBM HTTP Server 8.5 and 9.0 is achievable by a local, unprivileged attacker through the optional mod_fastcgi module, which triggers a reachable assertion (CWE-617) causing the server process to abort. Affected versions span IBM HTTP Server 9.0 and IBM HTTP Server 8.5.0 through Interim Fix 002. No public exploit exists and CISA has not listed this in the KEV catalog; EPSS exploitation probability is extremely low at 0.03% (9th percentile), indicating minimal real-world threat at present.
Technical ContextAI
IBM HTTP Server is IBM's enterprise web server product, built on Apache HTTP Server technology. The affected optional module, mod_fastcgi, implements the FastCGI protocol, allowing the web server to communicate with persistent backend application processes via local sockets or pipes. CWE-617 (Reachable Assertion) describes a class of vulnerability where an assertion embedded in the application code can be triggered by attacker-controlled input, causing an abnormal process termination rather than graceful error handling. In mod_fastcgi's context, a malformed or unexpected input reaching an internal assertion point causes the IBM HTTP Server process to abort entirely, producing a denial-of-service condition. The CPE string (cpe:2.3:a:ibm:http_server:*:*:*:*:*:*:*:*) applies broadly to IBM HTTP Server without version qualification in NVD, but EUVD narrows affected versions to 9.0 and 8.5.0 up to and including Interim Fix 002.
RemediationAI
IBM has released a patch for this vulnerability, available through the IBM support portal at https://www.ibm.com/support/pages/node/7274065. The exact patched version number is not independently specified in available data beyond 'Available from vendor' - administrators should consult the advisory directly to identify the appropriate fix level for their deployment (IBM HTTP Server 8.5 or 9.0). As an immediate compensating control, disabling the mod_fastcgi module eliminates the attack surface entirely, since the vulnerability is confined to that optional component; the trade-off is loss of FastCGI backend communication capability, which may impact application functionality if FastCGI-based apps are in use. Restricting local user access to the host running IBM HTTP Server reduces the pool of potential attackers given the AV:L vector. Additional context is available via the VulDB advisory at https://vuldb.com/vuln/365715.
More in Http Server
View allApache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for
Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denia
The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directiv
mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for
The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from t
The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which al
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party mod
In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured c
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when se
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construct
Same weakness CWE-617 – Reachable Assertion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31896
GHSA-5grx-55jc-2fff