CVE-2026-9002: CWE-400 Uncontrolled Resource Consumption in IBM WebSphere Extreme Scale
IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 could allow an adjacent attacker to cause a denial of service due to improper validation in the XDF decoder. The application processes deeply nested Protocol Buffers messages and attacker-controlled length prefixes without sufficient bounds checking, which may allow an attacker on the same network to trigger a StackOverflowError or OutOfMemoryError, resulting in a crash of the WebSphere Application Server JVM.
AI Analysis
Technical Summary
CVE-2026-9002 is a CWE-400 uncontrolled resource consumption vulnerability in IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6. The issue arises from insufficient bounds checking in the XDF decoder when processing deeply nested Protocol Buffers messages and attacker-controlled length prefixes. An attacker on the same network can exploit this to cause a denial of service by crashing the JVM hosting the WebSphere Application Server via StackOverflowError or OutOfMemoryError. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting medium severity with no impact on confidentiality or integrity, only availability.
Potential Impact
Successful exploitation results in denial of service by crashing the WebSphere Application Server JVM due to resource exhaustion (stack overflow or out of memory). There is no impact on confidentiality or integrity. The attacker must be adjacent on the network to exploit this vulnerability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround is currently documented. Until a patch is available, limit network access to trusted sources to reduce exposure to adjacent attackers.
CVE-2026-9002: CWE-400 Uncontrolled Resource Consumption in IBM WebSphere Extreme Scale
Description
IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 could allow an adjacent attacker to cause a denial of service due to improper validation in the XDF decoder. The application processes deeply nested Protocol Buffers messages and attacker-controlled length prefixes without sufficient bounds checking, which may allow an attacker on the same network to trigger a StackOverflowError or OutOfMemoryError, resulting in a crash of the WebSphere Application Server JVM.
CVSS v3.1
Score 6.5medium
Affected software
pkg:maven/ibm/websphere_extreme_scalecpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.0:*:*:*:*:*:*:*cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.6:*:*:*:*:*:*:*Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-9002 is a CWE-400 uncontrolled resource consumption vulnerability in IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6. The issue arises from insufficient bounds checking in the XDF decoder when processing deeply nested Protocol Buffers messages and attacker-controlled length prefixes. An attacker on the same network can exploit this to cause a denial of service by crashing the JVM hosting the WebSphere Application Server via StackOverflowError or OutOfMemoryError. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting medium severity with no impact on confidentiality or integrity, only availability.
Potential Impact
Successful exploitation results in denial of service by crashing the WebSphere Application Server JVM due to resource exhaustion (stack overflow or out of memory). There is no impact on confidentiality or integrity. The attacker must be adjacent on the network to exploit this vulnerability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround is currently documented. Until a patch is available, limit network access to trusted sources to reduce exposure to adjacent attackers.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- ibm
- Date Reserved
- 2026-05-19T13:37:18.171Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a441ac027e9c7971948ab76
Added to database: 06/30/2026, 19:36:32 UTC
Last enriched: 06/30/2026, 19:51:59 UTC
Last updated: 06/30/2026, 20:21:52 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.