Skip to main content

WebSphere Extreme Scale CVE-2026-9002

| EUVDEUVD-2026-40379 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-30 ibm GHSA-qh26-gm6x-4qpg
6.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (ibm) PRIMARY
MEDIUM
qualitative
NVD
6.5 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Adjacent-only reach (AV:A) and no authentication needed (PR:N); exclusive availability impact (A:H) from JVM crash with no confidentiality or integrity consequence.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (ibm).

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 19:51 vuln.today

DescriptionNVD

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 could allow an adjacent attacker to cause a denial of service due to improper validation in the XDF decoder. The application processes deeply nested Protocol Buffers messages and attacker-controlled length prefixes without sufficient bounds checking, which may allow an attacker on the same network to trigger a StackOverflowError or OutOfMemoryError, resulting in a crash of the WebSphere Application Server JVM.

AnalysisAI

Denial of service in IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 allows adjacent unauthenticated attackers to crash the WebSphere Application Server JVM by sending malformed XDF-encoded Protocol Buffers messages to the data grid. The XDF decoder fails to enforce bounds on recursive protobuf message nesting depth and attacker-supplied length prefixes, triggering either a StackOverflowError or OutOfMemoryError that takes down the JVM process. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain adjacent network access
Delivery
Craft malformed XDF/protobuf payload with deep nesting or inflated length prefix
Exploit
Deliver payload to WebSphere Extreme Scale XDF decoder endpoint
Execution
Trigger unbounded recursion or heap allocation
Impact
Crash WebSphere Application Server JVM

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to be network-adjacent to the target - sharing the same Layer 2 broadcast domain, VLAN, or subnet as the WebSphere Extreme Scale instance (AV:A per CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 (Medium) with vector AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H accurately reflects a meaningful but geographically contained threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with foothold on the same network segment as a WebSphere Extreme Scale grid node - such as a compromised internal server or a co-tenant VM in a shared cloud environment - sends a crafted XDF-encoded protobuf message containing hundreds of levels of nested message wrappers or a length prefix set to a value far exceeding available heap. The XDF decoder processes the payload without bounds enforcement, either overflowing the JVM call stack through recursive parsing or exhausting heap memory through the unbounded allocation, and the WebSphere Application Server JVM crashes, taking the data grid node offline. …
Remediation Apply the vendor-released patch per the IBM support advisory at https://www.ibm.com/support/pages/node/7278346. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9002 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy