Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_mem_cache.
AnalysisAI
Denial of service in IBM HTTP Server 8.5 and 9.0 allows remote unauthenticated attackers to crash or degrade the service when the optional mod_mem_cache module is loaded. The flaw carries a CVSS 7.5 (availability-only impact) and has no public exploit identified at time of analysis, though the SSVC framework rates exploitation as automatable. EPSS probability is very low (0.01%, 3rd percentile), suggesting limited near-term exploitation interest.
Technical ContextAI
IBM HTTP Server is IBM's Apache-based web server commonly bundled with WebSphere Application Server deployments (CPE cpe:2.3:a:ibm:http_server). The issue resides in mod_mem_cache, an optional caching module that stores responses in process memory to accelerate repeat requests. CWE-825 (Expired Pointer Dereference) indicates the root cause is a use-after-free or stale-reference condition - code accessing a memory location after its lifetime has ended - likely triggered by cache eviction or expiry logic in mod_mem_cache, causing the worker process to crash and degrading availability.
RemediationAI
Patch available per vendor advisory - apply the IBM-provided interim fix referenced at https://www.ibm.com/support/pages/node/7274065 for both 8.5 and 9.0 branches (the EUVD record notes 8.5 fixes supersede Interim Fix 002). If patching cannot be performed immediately, the most effective compensating control is to unload mod_mem_cache from httpd.conf (comment out the LoadModule mem_cache_module directive and any CacheEnable mem entries), since the vulnerability is conditional on this optional module - the trade-off is loss of in-memory response caching and a potential increase in backend load and latency for cached resources. Where mod_mem_cache is required, restrict network exposure of the HTTP Server to trusted networks via firewall ACLs or place it behind a reverse proxy/WAF until patching completes.
More in Http Server
View allApache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for
Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denia
The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directiv
mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for
The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from t
The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which al
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party mod
In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured c
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when se
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construct
Same weakness CWE-825 – Expired Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31904
GHSA-2h2g-6j29-j4fm