PatchSiren cyber security CVE debrief
CVE-2026-6936 IBM CVE debrief
IBM i versions 7.3 through 7.6 contain a denial-of-service vulnerability in the Integrated Language Environment (ILE) compiler. The flaw stems from uncontrolled recursion (CWE-674) when processing specially crafted source code containing a specific combination of statements. An authenticated attacker with compilation privileges can trigger this condition, causing the compiler to exhaust system resources and resulting in service disruption. The vulnerability was disclosed by IBM PSIRT and published to the NVD on 2026-05-27. No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA KEV. Organizations should apply IBM's security updates and restrict compilation privileges to trusted users pending patching.
- Vendor
- IBM
- Product
- i
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-28
Who should care
IBM i system administrators, security teams managing midrange infrastructure, developers with ILE compilation access, and organizations running RPG, COBOL, C, C++, or CL applications on IBM i 7.3-7.6
Technical summary
The ILE compiler in IBM i fails to properly limit recursion depth when parsing specific statement combinations in source code. An authenticated user can submit malicious source code that triggers excessive recursive calls, consuming stack memory or CPU resources and causing the compilation process—and potentially the subsystem—to become unresponsive. The vulnerability requires network access and valid authentication credentials but no user interaction. Impact is limited to availability (no confidentiality or integrity compromise).
Defensive priority
medium
Recommended defensive actions
- Apply IBM security updates for affected IBM i versions (7.3, 7.4, 7.5, 7.6) as referenced in IBM's security advisory
- Restrict ILE compilation privileges to authorized administrative users until patches are deployed
- Monitor compiler processes for abnormal resource consumption or recursion depth anomalies
- Review audit logs for compilation of untrusted or externally sourced source code
- Validate source code through static analysis before compilation in production environments
Evidence notes
Vulnerability confirmed through official IBM security advisory and NVD entry. CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. CWE-674 (Uncontrolled Recursion) identified as root cause. Affected versions explicitly listed as IBM i 7.3, 7.4, 7.5, and 7.6.
Official resources
-
CVE-2026-6936 CVE record
CVE.org
-
CVE-2026-6936 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
IBM PSIRT disclosed this vulnerability via official security advisory. The CVE record was published to NVD on 2026-05-27 with status 'Undergoing Analysis'.