CVE-2026-8835 IBM CVE debrief

Who should care

Organizations running IBM HTTP Server 8.5 or 9.0 with Administration Server enabled; security teams managing WebSphere Application Server infrastructure; compliance officers tracking patch status for HIGH severity vulnerabilities

Technical summary

The vulnerability exists in IBM HTTP Server's Administration Server component where improper pointer handling allows an authenticated privileged user to dereference invalid memory. The attack vector requires adjacent network access (AV:A) and valid privileged credentials (PR:L), with no user interaction required. Successful exploitation can expose sensitive memory contents (C:H) or crash the server process (A:H). The flaw does not impact integrity (I:N). Affected platforms include AIX, z/OS, Linux, and Windows deployments running vulnerable IBM HTTP Server versions.

Defensive priority

HIGH

Recommended defensive actions

• Apply IBM HTTP Server fix packs 8.5.5.30 or 9.0.5.29 or later per vendor security advisory
• Restrict Administration Server network access to trusted administrative hosts only
• Audit privileged accounts with Administration Server access for unauthorized activity
• Monitor Administration Server logs for anomalous requests or unexpected process terminations
• Validate pointer safety controls in custom modules interacting with Administration Server APIs

Evidence notes

Vulnerability confirmed via NVD CPE criteria showing affected versions 8.5.0.0 through 8.5.5.30 (exclusive) and 9.0.0.0 through 9.0.5.29 (exclusive). CVSS 3.1 vector AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H supports adjacent network, low complexity, privileged access requirements. CWE-822 (Untrusted Pointer Dereference) classified as primary weakness. IBM PSIRT advisory published 2026-05-26.

Official resources