Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable, unauthenticated, low-complexity crafted request causes memory exhaustion - availability-only impact, no confidentiality or integrity effect.
Primary rating from Vendor (ibm).
CVSS VectorVendor: ibm
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources.
AnalysisAI
Denial of service in IBM WebSphere Application Server 8.5 and 9.0, plus WebSphere Liberty 17.0.0.3 through 26.0.0.6, allows remote unauthenticated attackers to exhaust server memory by sending a specially crafted request. The CVSS 7.5 score reflects high availability impact with no privileges or user interaction required, though no public exploit identified at time of analysis and no EPSS or KEV data is provided.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default configurations of IBM WebSphere Application Server traditional 8.5/9.0 and Liberty 17.0.0.3 through 26.0.0.6, requiring only network reachability to a listening WAS HTTP or service endpoint. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H indicates a network-reachable, low-complexity, unauthenticated attack producing high availability impact with no confidentiality or integrity consequences - a classic remote DoS profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the network sends one or more specially crafted requests to an exposed WebSphere or Liberty HTTP/SOAP endpoint; the server allocates excessive memory while parsing or processing the request, and repeated requests drive the JVM into garbage-collection thrashing or OutOfMemoryError, taking the application offline. Because the CVSS vector is AV:N/AC:L/PR:N/UI:N, the attack can be automated from any internet host without credentials or social engineering. |
| Remediation | Patch available per vendor advisory - apply the interim fix or fix pack documented at https://www.ibm.com/support/pages/node/7276579 for the specific WAS 8.5, 9.0, or Liberty release in use. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all production and non-production instances of IBM WebSphere Application Server 8.5, 9.0 and WebSphere Liberty 17.0.0.3 through 26.0.0.6. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Websphere Application Server
View allIBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with
IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.11, and 8.5 before 8.
The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Co
Unspecified vulnerability in the IBM HTTP Server component 5.3 in IBM WebSphere Application Server (WAS) for z/OS allows
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the sys
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.11, 9.0 before 9.0.0.2
Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1, 7.0 before 7.0.0.27, 8.0, and 8.5 has unknown i
HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 thr
Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote unauthen
Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote, unauthe
IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the s
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38253
GHSA-x466-m8cx-8p3m