IBM

Arbitrary file read in IBM's compliance-trestle Python library allows any file accessible to the running process to be extracted by supplying a malicious OSCAL profile YAML with path traversal sequences in the imports[].href field. Three confirmed attack vectors exist: via the trestle:// URI scheme, via relative href paths, and via back_matter rlinks - all exploiting the same root cause in LocalFetcher. Publicly available exploit code (PoC) exists demonstrating extraction of /etc/passwd, cloud credential files, and SSH private keys; no CISA KEV listing is confirmed at time of analysis.

Arbitrary file write in the compliance-trestle Python library (versions 4.0.0-4.0.2 and any release below 3.12.2) lets an attacker who controls a referenced OSCAL artifact plant attacker-supplied content anywhere the trestle process can write. The HTTPSFetcher and SFTPFetcher cache layer builds the local cache file path directly from the URL path component, so when trestle imports a remote OSCAL profile whose href contains `../` traversal the fetched HTTP/SFTP response body escapes the .trestle cache directory; overwriting files such as /etc/cron.d entries, ~/.ssh/authorized_keys, or a module on sys.path turns the primitive into code execution. A reproducible public proof-of-concept exists in the GHSA advisory (GHSA-g3vg-vx23-3858); the flaw is not listed in CISA KEV and no CVSS or EPSS scoring is provided, but the maintainers have shipped fixes in 4.0.3 and 3.12.2.

Information disclosure in IBM Business Automation Workflow (containers and traditional deployments) exposes internal database schema details through application error messages to authenticated low-privilege users. Affecting versions across the 24.0.0, 24.0.1, 25.0.0, and 25.0.1 release lines, a network-accessible authenticated attacker can deliberately trigger error conditions to harvest database structure information - table names, column names, or schema layout - without needing elevated permissions. No public exploit code exists and no active exploitation is confirmed; SSVC assessment classifies this as non-automatable with partial technical impact, consistent with its limited confidentiality scope.

Path traversal in the asperahttpd HTTP component of IBM Aspera High-Speed Transfer Endpoint and Server (versions 3.7.4 through 4.4.7 Fix Pack 1) enables authenticated network users to read arbitrary files from the server's local filesystem beyond their authorized scope. The vulnerability is classified CWE-22 and carries a CVSS 6.5 medium score, reflecting high confidentiality impact with no integrity or availability exposure. No public exploit identified at time of analysis, and CISA's SSVC framework rates exploitation status as none with partial technical impact, suggesting limited immediate threat despite the sensitive nature of file read primitives in a file-transfer product.

Credential exposure in IBM Guardium Data Protection's Long Term Retention (LTR) add-on feature allows authenticated network users to obtain sensitive credentials when the system is operating in debug mode. Affected versions are 12.2.1 (up to and including Fix Pack 4.4.7 Fix Pack 1) and 12.2.2. The high confidentiality impact (C:H) reflects that fully valid credentials - not just partial data - may be disclosed, potentially enabling lateral movement or privilege escalation within the data protection infrastructure. No public exploit has been identified at time of analysis, and SSVC assessment confirms no active exploitation.

Remote denial of service in IBM Aspera High-Speed Transfer Endpoint and High-Speed Transfer Server (versions 3.7.4 through 4.4.7 Fix Pack 1) allows an unauthenticated network attacker to crash the asperahttpd service via a NULL pointer dereference. Exploitation requires no credentials and no user interaction, yielding a complete loss of availability for the affected transfer service. There is no public exploit identified at time of analysis, and the issue has no confidentiality or integrity impact.

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1) arises from a stack-based buffer overflow in the asperahttpd component. An authenticated user with network access can corrupt memory in this HTTP handling component to run code in the context of the service, fully compromising confidentiality, integrity, and availability (CVSS 8.8). No public exploit has been identified at time of analysis, and the CVE is not listed in CISA KEV; EPSS data was not provided.

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Transfer Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1) through a heap-based buffer overflow in the asperahttpd component. An unauthenticated network attacker can corrupt memory to crash the service (denial of service) and, in the worst case, hijack execution flow to run arbitrary code or bypass authentication. There is no public exploit identified at time of analysis and SSVC lists exploitation as none, but the CVSS 9.8 rating and 'Automatable: yes' assessment mark this as a high-priority patching target.

Authentication bypass in IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 through 1.5.19 allows remote attackers to access and modify protected resources without valid credentials, scoring CVSS 9.1 critical. The flaw exposes confidential file transfer data and permits unauthorized modification of integrity-protected assets across all affected releases. No public exploit identified at time of analysis, and EPSS predicts only a 0.02% near-term exploitation probability despite the high severity rating.

Denial of service in IBM Langflow OSS 1.0.0 through 1.9.0 lets a low-privileged, authenticated remote attacker drive uncontrolled resource consumption (CWE-400) to degrade or crash the service, with a high availability impact and a minor confidentiality exposure per the CVSS vector. The flaw is network-reachable, requires no user interaction, and needs only a low-privilege account. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and no EPSS score was supplied.

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitrary code by abusing how the platform handles symbolic links while unpacking uploaded archives. Because extraction does not properly validate symlink targets, a crafted archive can write files outside the intended directory and ultimately achieve code execution on the host. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and is reachable without authentication or user interaction, though no public exploit identified at time of analysis.

Authentication bypass in IBM Operations Analytics - Log Analysis and IBM SmartCloud Analytics - Log Analysis (Operations Analytics versions 1.3.2.0 through 1.3.8.4) stems from hardcoded default credentials baked in during the manufacturing/installation process. An attacker who can reach the installation can authenticate with these known-default passwords, gaining full control with high confidentiality, integrity, and availability impact. The CVSS 3.1 vector scores this as a local-vector issue (AV:L) rather than remote, no public exploit has been identified, and SSVC reports exploitation status of 'none'.

Denial-of-service exposure in IBM OpenBMC firmware versions FW1110.00 through FW1110.11 allows unauthenticated remote attackers to partially degrade system availability by sending specially crafted network requests exploiting improper input quantity validation (CWE-1284). The attack requires no authentication, no user interaction, and low complexity, making it fully automatable per SSVC assessment - though no public exploit code has been identified at time of analysis. Because BMCs operate independently of the host OS and remain network-accessible even when servers are powered down, disrupting this layer carries operational risk disproportionate to the CVSS 5.3 Medium score alone.

Authorization bypass in IBM Db2 12.1.0 through 12.1.4 enables authenticated low-privilege users to upload data to remote object storage paths that should be beyond their access scope by including a specially crafted query. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms the attack is network-accessible, requires no user interaction, and demands only a low-privilege database account, while the I:H score indicates high integrity impact - unauthorized writes to restricted storage destinations. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Denial-of-service via uncontrolled recursion in the IBM i Integrated Language Environment (ILE) compiler affects versions 7.3, 7.4, 7.5 (≤12.1.4), and 7.6 (≤11.5.9). An authenticated network attacker can crash or hang the ILE compiler by submitting specially crafted source code containing a specific combination of statements that triggers infinite or deeply nested recursive processing. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low complexity and authenticated-only barrier makes this plausible for insider threat or compromised credential scenarios.

Denial of service in IBM Db2 11.5.x and 12.1.x allows a low-privileged local user to crash the database engine by executing a specially crafted query against range partitioned tables. The vulnerability stems from uncontrolled resource allocation (CWE-770) during query processing, resulting in complete availability loss with no impact to confidentiality or integrity. No public exploit code exists and this vulnerability has not been listed in the CISA KEV catalog at time of analysis.

Memory exhaustion in IBM Db2 11.5.x and 12.1.x allows an authenticated remote attacker to crash the database engine by submitting certain queries targeting Multi-Dimensional Clustering (MDC) tables, resulting in a denial of service. The vulnerability carries a CVSS 6.5 score with network-accessible attack vector and low-privilege requirement, meaning any valid database user can trigger it. No active exploitation has been identified at time of analysis; SSVC rates exploitation status as none and technical impact as partial.

Denial of service in IBM Db2 versions 11.5.0-11.5.9 and 12.1.0-12.1.4 allows a locally authenticated, low-privileged user to crash the database service by executing a specially crafted SQL query against an instance configured with a small statement heap. The vulnerability stems from uncontrolled resource consumption (CWE-400) during query processing, resulting in high availability impact with no confidentiality or integrity exposure. No public exploit code and no active exploitation have been identified at time of analysis; SSVC classifies exploitation status as none.

Security bypass via race condition in IBM WebSphere Application Server Liberty 22.0.0.11 through 26.0.0.5 allows a remote, highly-privileged attacker to circumvent access controls during a narrow timing window, resulting in high-confidentiality-impact data exposure. The CVSS vector confirms network-based exploitation requiring high privileges and high attack complexity, constraining real-world risk significantly. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Sensitive information disclosure in IBM App Connect Enterprise 13.0.1.0 through 13.0.7.0 exposes potentially sensitive data via log files accessible to local users. The CVSS vector (AV:L/PR:L) confirms exploitation requires local, low-privileged authenticated access, limiting the attack surface to users already present on the system. No public exploit has been identified and CISA SSVC rates exploitation as none, but the confidentiality impact is rated High, meaning successful access to log files could yield significant sensitive data.

Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded secret - a password or cryptographic key - that the product uses for inbound authentication, outbound communication, or encryption of internal data. Because the credential is the same across every deployment, an attacker who already holds low-level access (CVSS PR:L) can leverage it to gain full confidentiality, integrity, and availability impact (C:H/I:H/A:H) over the network. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Memory exhaustion in IBM WebSphere Application Server (Liberty 19.0.0.7-26.0.0.5, traditional WAS 8.5 and 9.0) allows an adjacent-network, low-privileged attacker to trigger uncontrolled memory consumption by sending a specially crafted request. The attack requires both network adjacency and high complexity conditions, constraining the realistic threat surface significantly compared to the High availability impact rating. No public exploit code exists and CISA SSVC rates exploitation as 'none' with technical impact classified as 'partial', placing this vulnerability in a lower operational priority tier despite the A:H component impact.

In the Linux kernel, the following vulnerability has been resolved: mm/mempolicy: fix memory leaks in weighted_interleave_auto_store() weighted_interleave_auto_store() fetches old_wi_state inside the if (!input) block only. This causes two memory leaks: 1. When a user writes "false" and the current mode is already manual, the function returns early without freeing the freshly allocated new_wi_state. 2. When a user writes "true", old_wi_state stays NULL because the fetch is skipped entirely. The old state is then overwritten by rcu_assign_pointer() but never freed, since the cleanup path is gated on old_wi_state being non-NULL. A user can trigger this repeatedly by writing "1" in a loop. Fix both leaks by moving the old_wi_state fetch before the input check, making it unconditional. This also allows a unified early return for both "true" and "false" when the requested mode matches the current mode. Reviewed by: Donet Tom <donettom@linux.ibm.com>

{+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40 [ 84.964342] [ T928] but task is already holding lock: [ 84.964347] [ T928] c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40 [ 84.964357] [ T928] other info that might help us debug this: [ 84.964363] [ T928] Possible unsafe locking scenario: [ 84.964367] [ T928] CPU0 [ 84.964370] [ T928] ---- [ 84.964373] [ T928] lock(pci_rescan_remove_lock); [ 84.964378] [ T928] lock(pci_rescan_remove_lock); [ 84.964383] [ T928] *** DEADLOCK *** [ 84.964388] [ T928] May be due to missing lock nesting notation [ 84.964393] [ T928] 1 lock held by eehd/928: [ 84.964397] [ T928] #0: c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40 [ 84.964408] [ T928] stack backtrace: [ 84.964414] [ T928] CPU: 2 UID: 0 PID: 928 Comm: eehd Not tainted 6.18.0-rc3 #51 VOLUNTARY [ 84.964417] [ T928] Hardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_022) hv:phyp pSeries [ 84.964419] [ T928] Call Trace: [ 84.964420] [ T928] [c0000011a7157990] [c000000001705de4] dump_stack_lvl+0xc8/0x130 (unreliable) [ 84.964424] [ T928] [c0000011a71579d0] [c0000000002f66e0] print_deadlock_bug+0x430/0x440 [ 84.964428] [ T928] [c0000011a7157a70] [c0000000002fd0c0] __lock_acquire+0x1530/0x2d80 [ 84.964431] [ T928] [c0000011a7157ba0] [c0000000002fea54] lock_acquire+0x144/0x410 [ 84.964433] [ T928] [c0000011a7157cb0] [c0000011a7157cb0] __mutex_lock+0xf4/0x1050 [ 84.964436] [ T928] [c0000011a7157e00] [c000000000de21d8] pci_lock_rescan_remove+0x28/0x40 [ 84.964439] [ T928] [c0000011a7157e20] [c00000000004ed98] eeh_pe_bus_get+0x48/0xc0 [ 84.964442] [ T928] [c0000011a7157e50] [c00000 ---truncated---

Authenticated denial-of-service in IBM Db2 for Linux, UNIX, and Windows allows a low-privileged network user to crash database availability by submitting specially crafted data queries against the Fenced environment. The vulnerability affects IBM Cloud APM Base Private 8.1.4 and Advanced Private 8.1.4, which bundle Db2 as a backend component. No public exploit has been identified at time of analysis, and the CVSS score of 6.5 reflects meaningful but bounded risk due to the authentication prerequisite.

Local privilege escalation in IBM Netezza Performance Server Replication Services (versions 3.0.2.0 through 3.0.5.0) allows an already-authenticated, low-privileged user on the appliance to gain full root control. By abusing the over-privileged Replication Services component the attacker can execute root-level commands, spawn a root shell, reset the root password, alter or delete system-wide files, and plant persistent backdoors, resulting in complete loss of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis, and no EPSS score was supplied in the source data, so the issue currently reflects vendor-reported risk rather than observed exploitation.

Directory traversal in IBM InfoSphere Optim Test Data Fabrication (versions 1.0.0 through 1.0.2.7) lets a remote, unauthenticated attacker read arbitrary files from the host by sending a crafted URL containing '../' sequences. The flaw is purely an information-disclosure issue - confidentiality is impacted with no integrity or availability effect - and CVSS rates it 7.5 (High). There is no public exploit identified at time of analysis, and CISA's SSVC framework records exploitation status as none, though it flags the issue as automatable.

Sensitive information disclosure in IBM MQ Operator and IBM-supplied MQ Advanced container images exposes potentially sensitive data written to log files, readable by local users on the host or container system. Affected versions span three release tracks (LTS, CD, SC2) across both the MQ Operator (v2.0.0 through v3.9.1) and a broad range of container image releases from 9.3.x through 9.4.x. The CVSS score of 5.1 with a local attack vector and high complexity rating confines exploitation to users with existing local or container runtime access, and no public exploit has been identified at time of analysis.

Denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 allows an authenticated database user to crash or exhaust the database engine by submitting a specially crafted query when the autonomous transactions feature is enabled. The flaw (CWE-770, uncontrolled resource allocation) carries a CVSS 7.1 with high availability impact but no confidentiality or integrity loss. There is no public exploit identified at time of analysis, and CISA SSVC rates exploitation as 'none', indicating no observed activity to date.

Cross-site scripting in IBM Cognos Analytics and IBM Cognos Transformer allows a remote authenticated attacker to inject arbitrary JavaScript into the web user interface, executing in the browser context of other users within a trusted session. Affected versions span IBM Cognos Analytics 11.2.0 through 12.1.0 and IBM Cognos Transformer 11.2.4 through 12.1.0. The primary risk is credential disclosure - an attacker who can plant a payload could harvest session tokens or credentials from other authenticated users. No public exploit code exists and CISA SSVC rates exploitation as none at time of analysis.

Kernel NULL pointer dereference in AMD GPU driver on systems with 64KB page sizes allows local authenticated attackers to crash the system by triggering memory allocation mismatches between reserved trap area (8KB) and required allocation size (128KB) during GPU memory initialization. The vulnerability affects systems running ROCm workloads and causes denial of service when executing rocminfo or rccl unit tests on IBM POWER10 and similar 64K-page architectures. EPSS exploitation probability is very low (0.02%), and no public exploit code or active in-the-wild exploitation has been identified.

Denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 allows authenticated users to crash the database server via improper neutralization of special elements in query logic. An attacker with valid database credentials can trigger the vulnerability remotely without user interaction, resulting in service unavailability. No active exploitation has been confirmed at time of analysis.

Denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.3 for Linux, UNIX, and Windows allows authenticated users to crash the database server by submitting a specially crafted SQL query that triggers improper system resource allocation. An attacker with valid database credentials can exhaust resources and render the database unavailable to legitimate users without leaving data corruption or unauthorized access. No public exploit code has been identified, though the vulnerability requires only valid authentication and a standard SQL interface.

Denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.3 allows authenticated users to crash the database server via improper neutralization of special elements in query logic when specific configurations are present. Attack requires valid database credentials and high attack complexity, limiting exploitation to insiders or users with legitimate access. Vendor has released patches addressing the underlying query parsing flaw.

IBM i 7.2-7.6 contains an invalid authorization check in the Web Administration GUI that allows authenticated high-privilege users with administrator access to trigger privilege escalation, enabling user-controlled code execution with administrator privileges. The vulnerability requires high privileges and user interaction (CVSS:H for confidentiality, integrity, and availability), but is not currently listed in CISA's Known Exploited Vulnerabilities catalog, and no public exploit code has been identified as of the analysis date.

IBM watsonx.data versions 2.2 through 2.3 fail to enforce proper network segmentation between Kubernetes pods in the Lakehouse component, allowing attackers with network access to the cluster to transfer data between pods without authentication or authorization controls. This integrity vulnerability has a moderate CVSS score of 5.3 and requires adjacent network access and specific configuration conditions to exploit.

Privilege escalation in IBM Turbonomic prometurbo agent allows compromised service accounts to exfiltrate cluster-wide Kubernetes secrets and achieve full cluster takeover. Affects versions 8.16.0 through 8.17.6 deployed in Kubernetes environments. The operator grants excessive RBAC permissions enabling unrestricted read access to all secrets cluster-wide. CVSS 8.8 indicates high severity with scope change to container/cluster level. No active exploitation confirmed (not in CISA KEV), but the attack path from service account compromise to cluster admin is well-understood in Kubernetes threat models.

IBM Langflow OSS 1.0.0 through 1.8.4 allows authenticated users to read transaction logs and vertex build data from other users' flows via direct flow_id manipulation, enabling unauthorized information disclosure and deletion of other users' persisted build data. The vulnerability requires valid user authentication (PR:L) but no additional complexity, affecting all deployments of affected versions.

IBM watsonx.data intelligence versions 5.2.0, 5.2.1, 5.3.0, and 5.3.1 store user credentials in plain text within local filesystem locations, allowing any local user to read sensitive authentication material without authentication. This information disclosure vulnerability affects confidentiality but not integrity or availability, and requires local filesystem access to exploit.

Remote code execution in IBM Langflow Desktop 1.0.0 through 1.8.4 allows authenticated attackers to execute arbitrary commands at the privilege level of the Langflow process. Attackers can exfiltrate API keys and database credentials from environment variables, modify application files, or pivot to internal network targets. IBM has released a vendor patch addressing this code injection vulnerability. No active exploitation confirmed by CISA KEV at time of analysis, though CVSS 8.8 severity and low attack complexity indicate high exploitability once authenticated access is obtained.

Path traversal in IBM Langflow Desktop versions 1.8.4 and earlier allows authenticated remote attackers to read arbitrary files on the system by crafting URLs containing directory traversal sequences (/../). The vulnerability affects the file handling mechanism and could expose sensitive configuration, source code, or other confidential files accessible to the Langflow process. A vendor-released patch is available.

Stored cross-site scripting in IBM Langflow Desktop 1.6.0 through 1.8.4 allows authenticated users to inject arbitrary JavaScript code into the Web UI, potentially altering application functionality and disclosing session credentials to other users of the same instance. The vulnerability requires valid authentication but no user interaction from the target, affecting confidentiality and integrity of the application.

Server-side request forgery (SSRF) in IBM Langflow Desktop 1.0.0 through 1.8.4 permits unauthenticated remote attackers to send arbitrary HTTP requests from the vulnerable system, enabling network enumeration, internal service probing, and facilitation of secondary attacks against backend infrastructure. CVSS 6.5 reflects moderate confidentiality and integrity impact without authentication barriers despite PR:N in vector.

Authenticated attackers can exploit a path traversal vulnerability in IBM Langflow Desktop 1.2.0 through 1.8.4 to write arbitrary files to the system by crafting URLs containing directory traversal sequences (/../). The vulnerability requires prior authentication but allows complete bypass of file system restrictions, enabling file overwrite or creation outside intended directories with no integrity protections.

Unauthenticated remote disclosure of user-uploaded images in IBM Langflow Desktop 1.0.0-1.8.4 allows network attackers to enumerate and access other users' private images through predictable object references. With CVSS 7.5 (High) reflecting unauthenticated network exploitation, and EPSS data not provided, risk depends on whether installations expose the vulnerable endpoint to untrusted networks. No KEV listing or public exploit code identified at time of analysis, suggesting discovery through vendor security review rather than active exploitation.

In the Linux kernel, the following vulnerability has been resolved: mm/kasan: fix double free for kasan pXds kasan_free_pxd() assumes the page table is always struct page aligned. But that's not always the case for all architectures. E.g. In case of powerpc with 64K pagesize, PUD table (of size 4096) comes from slab cache named pgtable-2^9. Hence instead of page_to_virt(pxd_page()) let's just directly pass the start of the pxd table which is passed as the 1st argument. This fixes the below double free kasan issue seen with PMEM: radix-mmu: Mapped 0x0000047d10000000-0x0000047f90000000 with 2.00 MiB pages ================================================================== BUG: KASAN: double-free in kasan_remove_zero_shadow+0x9c4/0xa20 Free of addr c0000003c38e0000 by task ndctl/2164 CPU: 34 UID: 0 PID: 2164 Comm: ndctl Not tainted 6.19.0-rc1-00048-gea1013c15392 #157 VOLUNTARY Hardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_012) hv:phyp pSeries Call Trace: dump_stack_lvl+0x88/0xc4 (unreliable) print_report+0x214/0x63c kasan_report_invalid_free+0xe4/0x110 check_slab_allocation+0x100/0x150 kmem_cache_free+0x128/0x6e0 kasan_remove_zero_shadow+0x9c4/0xa20 memunmap_pages+0x2b8/0x5c0 devm_action_release+0x54/0x70 release_nodes+0xc8/0x1a0 devres_release_all+0xe0/0x140 device_unbind_cleanup+0x30/0x120 device_release_driver_internal+0x3e4/0x450 unbind_store+0xfc/0x110 drv_attr_store+0x78/0xb0 sysfs_kf_write+0x114/0x140 kernfs_fop_write_iter+0x264/0x3f0 vfs_write+0x3bc/0x7d0 ksys_write+0xa4/0x190 system_call_exception+0x190/0x480 system_call_vectored_common+0x15c/0x2ec ---- interrupt: 3000 at 0x7fff93b3d3f4 NIP: 00007fff93b3d3f4 LR: 00007fff93b3d3f4 CTR: 0000000000000000 REGS: c0000003f1b07e80 TRAP: 3000 Not tainted (6.19.0-rc1-00048-gea1013c15392) MSR: 800000000280f033 <SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 48888208 XER: 00000000 <...> NIP [00007fff93b3d3f4] 0x7fff93b3d3f4 LR [00007fff93b3d3f4] 0x7fff93b3d3f4 ---- interrupt: 3000 The buggy address belongs to the object at c0000003c38e0000 which belongs to the cache pgtable-2^9 of size 4096 The buggy address is located 0 bytes inside of 4096-byte region [c0000003c38e0000, c0000003c38e1000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3c38c head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:c0000003bfd63e01 flags: 0x63ffff800000040(head|node=6|zone=0|lastcpupid=0x7ffff) page_type: f5(slab) raw: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000 raw: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01 head: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000 head: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01 head: 063ffff800000002 c00c000000f0e301 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected [ 138.953636] [ T2164] Memory state around the buggy address: [ 138.953643] [ T2164] c0000003c38dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953652] [ T2164] c0000003c38dff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953661] [ T2164] >c0000003c38e0000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953669] [ T2164] ^ [ 138.953675] [ T2164] c0000003c38e0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953684] [ T2164] c0000003c38e0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953692] [ T2164] ================================================================== [ 138.953701] [ T2164] Disabling lock debugging due to kernel taint

Remote code execution in IBM Total Storage Service Console (TSSC) and TS4500 IMC versions 9.2 through 9.6 allows unauthenticated attackers to execute arbitrary commands with normal user privileges via improper input validation. The vulnerability carries a CVSS score of 7.3 with network attack vector and low complexity (AV:N/AC:L/PR:N/UI:N), enabling remote exploitation without authentication. No public exploit identified at time of analysis, and EPSS risk data is not available for this 2026 CVE.

IBM Security Verify Access and Verify Identity Access products versions 10.0 through 10.0.9.1 and 11.0 through 11.0.2 use cryptographic algorithms weaker than expected, allowing authenticated network attackers to decrypt highly sensitive information. The vulnerability affects both containerized and non-containerized deployments across multiple major versions. CVSS 6.5 reflects high confidentiality impact with low attack complexity, though authenticated access is required.

Arbitrary file write vulnerability in IBM Guardium Data Protection 12.1 allows authenticated administrative users to traverse directories and write files to arbitrary locations via specially crafted URLs containing path traversal sequences (/../). The vulnerability requires high-privilege admin credentials and network access but results in integrity compromise without requiring user interaction, making it a post-authentication privilege abuse risk for organizations running this data protection platform.

Improper privilege management in IBM Guardium Key Lifecycle Manager versions 4.1 through 5.1 allows remote unauthenticated attackers to achieve limited confidentiality and integrity compromise through a network attack requiring high complexity. The vulnerability stems from inadequate access control enforcement that permits elevation of privileges without authentication, affecting a widely deployed enterprise key management solution.

Authenticated users can trigger a denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 for Linux, UNIX, and Windows through improper neutralization of special elements in database query logic, causing service unavailability without requiring user interaction or special configuration. The vulnerability affects both standalone Db2 instances and Db2 Connect Server deployments, with CVSS 6.5 reflecting network accessibility and authenticated access requirements. No public exploit code or active exploitation has been identified at the time of analysis.

IBM Guardium Data Protection versions 12.0, 12.1, and 12.2 contain an authentication bypass vulnerability in the access management control panel that allows high-privilege users to circumvent business logic controls and modify access policies without proper authorization constraints. The vulnerability requires administrative credentials to trigger but results in unauthorized privilege escalation or policy modification within the management interface. No public exploit code or active exploitation has been identified at the time of analysis.

IBM Guardium Data Protection 12.0 through 12.2 contains a security misconfiguration in the user access control panel that allows high-privilege administrators to modify integrity settings without proper authorization constraints. The vulnerability is remotely accessible and requires existing administrative credentials, resulting in limited integrity impact with no confidentiality or availability effect. CVSS score of 2.7 reflects the low risk profile due to required administrative authentication and minimal scope of impact.

IBM Security Verify Directory (Container) versions 10.0.0 through 10.0.0.3 fails to validate uploaded file types, allowing privileged users to upload malicious files that can be distributed to victims for lateral attacks. The vulnerability requires high-privilege credentials but enables integrity compromise and partial availability impact once exploited.

Stored cross-site scripting in IBM Guardium Data Protection 12.1 allows high-privileged administrative users to inject malicious JavaScript into the Web UI, enabling credential theft and session hijacking within trusted administrative sessions. The vulnerability requires administrative privileges and does not trigger user interaction, allowing attackers with admin access to persistently compromise the confidentiality and integrity of the system. A patch is available from IBM.

Stored cross-site scripting (XSS) in IBM Guardium Data Protection 12.1 through 26.0.0.4 allows authenticated administrative users to inject arbitrary JavaScript into the Web UI, enabling credential theft and session hijacking of other administrators within a trusted session. The vulnerability requires administrative privileges and user interaction (clicking a malicious link or visiting a crafted page), limiting its scope but maintaining high impact for multi-admin environments. EPSS context and active exploitation status are not publicly confirmed at this time.

Identity spoofing in IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.4 allows authenticated attackers with low privileges to impersonate other users and escalate privileges when applications are deployed without proper authentication and authorization controls. The vulnerability requires high attack complexity and low-privilege credentials, but enables complete compromise of confidentiality, integrity, and availability within the application scope. CVSS 7.5 (High) reflects the significant impact once exploitation conditions are met. No public exploit identified at time of analysis, and vendor patch is available per IBM advisory.

Sensitive information disclosure in IBM Tivoli Netcool Impact versions 7.1.0.0 through 7.1.0.37 allows local attackers with no authentication required to extract credentials and configuration secrets from application log files. With CVSS 8.4 and High impact to confidentiality, integrity, and availability, the CWE-532 flaw enables privilege escalation through exposed secrets. No public exploit identified at time of analysis, with EPSS data unavailable, though the low attack complexity (AC:L) suggests straightforward exploitation once local access is obtained.

Remote code execution in IBM Langflow Desktop versions 1.6.0 through 1.8.2 allows authenticated attackers to execute arbitrary code via unsafe deserialization in the FAISS component. The vulnerability stems from an insecure default configuration that permits deserialization of untrusted data. With CVSS 8.8 (High) reflecting network accessibility, low complexity, and full impact on confidentiality, integrity, and availability, this represents a critical risk for organizations running affected versions. Vendor-released patch available through IBM security advisory. No public exploit identified at time of analysis, though the attack path is well-understood given the CWE-502 deserialization vulnerability class.

Local code execution in IBM Security Verify Access 10.0-10.0.9.1 and 11.0-11.0.2 (both container and non-container deployments) allows unauthenticated local attackers to execute malicious scripts from outside the application's control sphere. This CWE-829 inclusion of functionality from untrusted control sphere vulnerability achieves container escape (scope change to C in CVSS vector), enabling high confidentiality impact and limited integrity/availability impact. No public exploit or active exploitation confirmed at time of analysis, though the low attack complexity (AC:L) and lack of required privileges (PR:N) make this readily exploitable by local users.

Local privilege escalation to root in IBM Verify/Security Verify Access products 10.0-11.0.2 allows unauthenticated local users to gain full system control via excessive process privileges (CWE-250). The CVSS 9.3 score reflects local attack vector but no authentication requirement (PR:N) and complete system compromise with scope change. Patch available per vendor advisory. No public exploit identified at time of analysis, though the local attack vector and low complexity (AC:L) suggest straightforward exploitation once local access is obtained.

Server-Side Request Forgery (SSRF) in IBM Verify Identity Access and Security Verify Access products (versions 10.0-11.0.2) allows unauthenticated remote attackers to contact internal authentication endpoints that should be protected by the Reverse Proxy component. This bypass enables attackers to interact with restricted internal services, potentially leading to unauthorized information disclosure and limited integrity impact. EPSS data not provided, but CVSS 7.2 (High) with network-accessible, low-complexity attack vector indicates moderate real-world risk. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis.

IBM Concert versions 1.0.0 through 2.2.0 create temporary files with predictable names, allowing local unauthenticated attackers to overwrite arbitrary files through symlink attacks. An attacker with local system access can exploit this insecure temporary file handling to modify critical application or system files, achieving high integrity impact. No public exploit code or active exploitation has been confirmed at time of analysis.

Authenticated stored cross-site scripting (XSS) in IBM Content Navigator versions 3.0.15, 3.1.0, and 3.2.0 allows logged-in users to inject arbitrary JavaScript into the Web UI, potentially enabling credential theft or session hijacking within trusted browser contexts. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting exposure to insider threats and social engineering scenarios where victims click attacker-controlled links. No public exploit code or active exploitation has been confirmed; patch availability from IBM mitigates the risk for patched deployments.

IBM Aspera Shares 1.9.9 through 1.11.0 lacks proper rate limiting on authenticated user email submissions, allowing high-privilege users to trigger email flooding or denial of service conditions. The vulnerability requires authentication at the admin or high-privilege level and results in service availability degradation rather than data compromise. EPSS exploitation probability is low (2.7 CVSS, high privilege requirement), and no public exploit code or active exploitation has been identified at time of analysis.

HTML injection in IBM Aspera Shares 1.9.9 through 1.11.0 allows authenticated remote attackers with high privileges to inject malicious HTML that executes in victim browsers within the hosting site's security context, requiring user interaction to view the injected content. CVSS 4.8 indicates low overall severity; patch is available from IBM.

HTTP header injection in IBM Aspera Shares 1.9.9 through 1.11.0 allows authenticated attackers to conduct cross-site scripting, cache poisoning, and session hijacking attacks via improper validation of HOST headers. The vulnerability requires authenticated access and carries a CVSS score of 5.4 with moderate confidentiality and integrity impact. No public exploit code or active exploitation has been confirmed.

Stored cross-site scripting in IBM Aspera Shares 1.9.9 through 1.11.0 allows authenticated high-privilege users to inject arbitrary JavaScript into the Web UI, potentially enabling credential theft or session hijacking within trusted browser sessions. CVSS 5.5 reflects the requirement for elevated privileges but global scope impact; no public exploit or active exploitation confirmed.

IBM Aspera Shares versions 1.9.9 through 1.11.0 fail to invalidate user sessions following password reset operations, enabling authenticated users to maintain access to compromised accounts and impersonate other users. The vulnerability requires prior authentication and allows limited confidentiality and integrity impact through account takeover. IBM has released a patch to address this session management defect.

IBM DataPower Gateway versions 10.5.0.0-10.5.0.20, 10.6.0.0-10.6.0.8, and 10.6.1.0-10.6.5.0 are vulnerable to cross-site request forgery (CSRF) that allows unauthenticated remote attackers to execute unauthorized actions on behalf of trusted users with user interaction. The vulnerability carries a CVSS score of 6.5 with medium real-world risk due to the requirement for user interaction and the integrity-only impact.

Open redirect vulnerability in IBM Verify Identity Access Container versions 11.0-11.0.2 and 10.0-10.0.9.1, and IBM Security Verify Access Container and non-container variants across the same version ranges, enables remote phishing attacks via specially crafted requests that redirect users to arbitrary websites. The attack requires user interaction (UI:R) and unusual network or exploitation circumstances (AC:H), limiting real-world impact; no public exploit code or confirmed active exploitation has been identified.

IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 fail to set the secure attribute on authorization tokens and session cookies, allowing unauthenticated remote attackers to obtain sensitive cookie values through man-in-the-middle interception via unencrypted HTTP connections. An attacker can trick a user into clicking an HTTP link or embed such a link on a visited website, causing the browser to transmit cookies over unencrypted channels where they can be captured. No public exploit code or active exploitation has been reported at the time of analysis, though the vulnerability carries a CVSS score of 4.3 reflecting the requirement for user interaction.

IBM DataPower Gateway versions 10.6CD (10.6.1.0-10.6.5.0), 10.5.0 (10.5.0.0-10.5.0.20), and 10.6.0 (10.6.0.0-10.6.0.8) disclose sensitive system information from other domains to authenticated administrative users due to improper access control. The vulnerability requires high-privilege administrative access over the network and results in confidentiality impact only; no public exploit code or active exploitation has been confirmed. CVSS 4.1 reflects low real-world risk due to authentication requirement, though patch availability limits exposure window.

IBM Aspera Shares versions 1.9.9 through 1.11.0 implements insufficient cryptographic strength that permits remote attackers without authentication to decrypt sensitive information. The vulnerability stems from use of weaker-than-expected cryptographic algorithms, allowing confidentiality breach of data protected by the application. A vendor patch is available.

IBM Verify Identity Access and Security Verify Access versions 10.0 through 10.0.9.1 and 11.0 through 11.0.2 allow unauthenticated remote attackers to access sensitive information through HTTP request smuggling via inconsistent interpretation of HTTP requests by a reverse proxy. The vulnerability affects both container and non-container deployments and has a CVSS score of 5.3 with confirmed vendor patch availability.

Remote attackers can access sensitive information in IBM Verify Identity Access Container 11.0-11.0.2, IBM Security Verify Access Container 10.0-10.0.9.1, and their non-containerized counterparts through HTTP request smuggling. The vulnerability exploits inconsistent HTTP request interpretation between the application and its reverse proxy, allowing unauthenticated remote access to restricted data with low attack complexity.

Command injection vulnerability in IBM Security Verify Access and IBM Verify Identity Access (versions 10.0-10.0.9.1 and 11.0-11.0.2, both containerized and non-containerized deployments) allows remote unauthenticated attackers to execute arbitrary commands with lower user privileges. The vulnerability stems from improper validation of user-supplied input (CWE-78). With CVSS 7.3 and network-accessible attack vector requiring no authentication or user interaction, this represents a significant exposure for internet-facing identity and access management infrastructure. No public exploit identified at time of analysis, though EPSS data not provided. Vendor patch available per IBM advisory.

Authentication bypass in IBM Verify Identity Access and IBM Security Verify Access (versions 10.0-10.0.9.1 and 11.0-11.0.2, both container and non-container deployments) allows remote attackers to gain unauthorized access under specific high-load conditions without authentication. The vulnerability carries an EPSS score indicating moderate exploitation probability, with vendor patch available but no confirmed active exploitation or public proof-of-concept at time of analysis. Attack complexity is rated high (AC:H), suggesting exploitation requires specific timing or environmental conditions related to load stress.

IBM Verify Identity Access Container and IBM Security Verify Access versions 10.0-10.0.9.1 and 11.0-11.0.2 return JSON payloads with incorrect Content-Type headers (text/html instead of application/json) when listing certificates via browser sessions, enabling stored or reflected cross-site scripting attacks when browsers interpret the JSON data as executable script. Authenticated users with UI interaction can trigger JavaScript injection affecting confidentiality and integrity of user sessions.

SQL injection in IBM Storage Protect Server 8.2.0 and Storage Protect Plus Server allows authenticated remote attackers to execute arbitrary SQL commands against the back-end database, enabling unauthorized data access, modification, or deletion. The vulnerability requires low attack complexity and low-level privileges (CVSS 7.6, PR:L), making it exploitable by any authenticated user. No public exploit identified at time of analysis, though SQL injection techniques are well-documented. EPSS data not provided, but SQL injection vulnerabilities historically see moderate exploitation rates when authentication barriers are low.

p11-kit remote token handling fails to validate NULL derive mechanism parameters in C_DeriveKey operations, allowing unauthenticated remote attackers to trigger NULL pointer dereferences and undefined memory access in the RPC client layer. This denial-of-service vulnerability affects Red Hat Enterprise Linux versions 6 through 10 and OpenShift Container Platform 4, with a CVSS score of 5.3 reflecting moderate availability impact. No public exploit identified at time of analysis.

IBM Knowledge Catalog Standard Cartridge versions 5.0.0 through 5.2.1 improperly store sensitive information in log files that can be read by local privileged users. An attacker with high privileges on the affected system can access these logs to disclose confidential data without requiring user interaction. While no active exploitation in the wild or public proof-of-concept has been reported, a vendor patch is available and should be applied promptly.

IBM Maximo Application Suite Monitor Component versions 8.10, 8.11, 9.0, and 9.1 contain an improper neutralization vulnerability in log file handling that allows unauthorized users to inject arbitrary data into log messages. An attacker with local access can manipulate log entries to inject malicious content, potentially leading to log tampering and integrity compromise. While the CVSS score of 4.0 reflects low severity with no confidentiality or availability impact, the vulnerability requires no authentication or special privileges, making it a concern for environments with local access controls.

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an HTTP header injection vulnerability caused by improper validation of the HOST header, allowing unauthenticated remote attackers to conduct cross-site scripting (XSS), cache poisoning, and session hijacking attacks. A vendor patch is available, and while this vulnerability is not currently listed as actively exploited in CISA's Known Exploited Vulnerabilities catalog, the CVSS score of 6.5 with network accessibility and low attack complexity indicates moderate real-world risk.

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a server-side request forgery (SSRF) vulnerability that allows authenticated attackers to send unauthorized requests from the affected system. This could enable network enumeration, lateral movement, or facilitate secondary attacks against internal systems. The vulnerability requires valid authentication credentials but presents moderate risk with a CVSS score of 5.4 and has an available patch from IBM.

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an information disclosure vulnerability caused by improper handling of JSON server responses, allowing authenticated attackers to expose sensitive data. The vulnerability requires low-complexity network access with valid credentials but does not require user interaction, making it accessible to any authenticated user with network connectivity. No evidence of active exploitation in the wild has been identified, though a patch is available from the vendor.

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a stored or reflected cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code. An attacker with valid credentials can exploit this vulnerability to alter application functionality and potentially steal session credentials or perform actions on behalf of other users within a trusted browser session. A patch is available from IBM, and the vulnerability has a CVSS score of 5.4 with moderate real-world risk due to the requirement for prior authentication and user interaction.

IBM Concert versions 1.0.0 through 2.2.0 transmit sensitive data in cleartext, allowing attackers to intercept and read this information via man-in-the-middle (MITM) attacks. The vulnerability affects all versions within the specified range of the IBM Concert application. An attacker positioned on the network path between a client and Concert server can eavesdrop on communications to obtain confidential information, though exploitation requires moderate attack complexity and active network positioning.

IBM Concert versions 1.0.0 through 2.2.0 implement cryptographic algorithms that are weaker than expected, allowing attackers to decrypt highly sensitive information without authentication. The vulnerability has a CVSS score of 5.9 with high confidentiality impact but no integrity or availability impact. A patch is available from IBM, and this represents a pure information disclosure risk affecting the confidentiality of encrypted data.

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a stored or reflected cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code. An attacker with valid credentials can exploit this vulnerability to steal session tokens, capture credentials entered by other users, or perform actions on behalf of compromised administrators within a trusted session, potentially leading to unauthorized access to sensitive data integration and metadata management systems.