CVE-2026-8852 IBM CVE debrief

Who should care

System administrators running IBM HTTP Server 8.5 or 9.0 with mod_fastcgi enabled; security teams responsible for web server infrastructure; organizations using IBM WebSphere Application Server which bundles IBM HTTP Server

Technical summary

The vulnerability exists in the optional mod_fastcgi module of IBM HTTP Server. A local attacker can trigger a denial-of-service condition without requiring privileges or user interaction. The high availability impact (A:H) suggests complete service disruption is possible. The local attack vector indicates the attacker must have some level of access to the target system, limiting remote exploitation risk.

Defensive priority

medium

Recommended defensive actions

• Review IBM HTTP Server deployments to identify systems running affected versions (8.5 prior to 8.5.5.30, 9.0 prior to 9.0.5.29)
• Verify whether the optional mod_fastcgi module is enabled in your configuration
• Apply the fixes or mitigation guidance provided in the IBM security advisory
• Monitor IBM support channels for additional updates to this advisory

Evidence notes

Vulnerability affects IBM HTTP Server 8.5.0.0 through versions before 8.5.5.30, and 9.0.0.0 through versions before 9.0.5.29. The mod_fastcgi module is described as optional, suggesting not all deployments are affected. CPE entries indicate the software runs on AIX, z/OS, Linux, and Windows platforms, though these operating systems themselves are not vulnerable.

Official resources