CVE-2026-9320: CWE-400 Uncontrolled Resource Consumption in IBM WebSphere Application Server
IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources.
AI Analysis
Technical Summary
CVE-2026-9320 is a denial of service vulnerability in IBM WebSphere Application Server and Liberty editions, caused by uncontrolled resource consumption (CWE-400). Remote attackers can exploit this by sending specially-crafted requests that cause the server to consume excessive memory, potentially leading to service disruption. Affected versions include WebSphere Application Server 9.0.0, 8.5.0, and Liberty from 17.0.0.3 through 26.0.0.6. The vulnerability has a CVSS 3.1 base score of 5.9, indicating medium severity. No vendor advisory or patch information is currently available, and no known exploits are reported in the wild.
Potential Impact
Successful exploitation results in denial of service by causing the affected IBM WebSphere Application Server to consume excessive memory resources, potentially leading to server instability or crash. There is no impact on confidentiality or integrity reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider limiting exposure of affected servers to untrusted networks and monitor for unusual memory consumption patterns. Avoid relying on generic mitigations unless specifically recommended by IBM.
CVE-2026-9320: CWE-400 Uncontrolled Resource Consumption in IBM WebSphere Application Server
Description
IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources.
CVSS v3.1
Score 5.9medium
Affected software
pkg:github/ibm/websphere_application_serverpkg:github/ibm/websphere_application_server_libertycpe:2.3:a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*cpe:2.3:a:ibm:websphere_application_server:9.0.0:*:*:*:*:*:*:*cpe:2.3:a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*cpe:2.3:a:ibm:websphere_application_server:8.5.0:*:*:*:*:*:*:*cpe:2.3:a:ibm:websphere_application_server___liberty:17.0.0.3:*:*:*:*:*:*:*cpe:2.3:a:ibm:websphere_application_server___liberty:26.0.0.6:*:*:*:*:*:*:*Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-9320 is a denial of service vulnerability in IBM WebSphere Application Server and Liberty editions, caused by uncontrolled resource consumption (CWE-400). Remote attackers can exploit this by sending specially-crafted requests that cause the server to consume excessive memory, potentially leading to service disruption. Affected versions include WebSphere Application Server 9.0.0, 8.5.0, and Liberty from 17.0.0.3 through 26.0.0.6. The vulnerability has a CVSS 3.1 base score of 5.9, indicating medium severity. No vendor advisory or patch information is currently available, and no known exploits are reported in the wild.
Potential Impact
Successful exploitation results in denial of service by causing the affected IBM WebSphere Application Server to consume excessive memory resources, potentially leading to server instability or crash. There is no impact on confidentiality or integrity reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider limiting exposure of affected servers to untrusted networks and monitor for unusual memory consumption patterns. Avoid relying on generic mitigations unless specifically recommended by IBM.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- ibm
- Date Reserved
- 2026-05-22T20:33:33.213Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a39572beed863c81e0538f4
Added to database: 06/22/2026, 15:39:23 UTC
Last enriched: 06/22/2026, 15:56:13 UTC
Last updated: 06/23/2026, 01:49:26 UTC
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.