PatchSiren cyber security CVE debrief

CVE-2026-8854 IBM CVE debrief

IBM HTTP Server versions 8.5 (prior to 8.5.5.30) and 9.0 (prior to 9.0.5.29) contain a denial-of-service vulnerability in the optional mod_mem_cache module. The flaw, classified as CWE-825 (Expired Pointer Dereference), allows network-based attackers to trigger high availability impact without authentication. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates the vulnerability is exploitable over the network with low attack complexity, requiring no privileges or user interaction. IBM has released security updates addressing this issue. Organizations running affected versions with mod_mem_cache enabled should prioritize patching, as the module is optional and may not be deployed in all configurations.

Vendor: IBM
Product: HTTP Server
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-26
Original CVE updated: 2026-05-26
Advisory published: 2026-05-26
Advisory updated: 2026-05-26

Who should care

Organizations running IBM HTTP Server 8.5 or 9.0 with mod_mem_cache enabled, particularly those hosting public-facing web services where availability is critical.

Technical summary

The vulnerability exists in the optional mod_mem_cache module of IBM HTTP Server. An expired pointer dereference (CWE-825) can be triggered remotely, resulting in denial of service. The attack surface is network-accessible and requires no authentication. Fixed versions are 8.5.5.30 and 9.0.5.29.

Defensive priority

HIGH

Recommended defensive actions

Verify IBM HTTP Server version and identify systems running affected releases (8.5.x prior to 8.5.5.30, 9.0.x prior to 9.0.5.29)
Confirm whether mod_mem_cache module is enabled in httpd.conf configuration
Apply IBM security updates to reach fixed versions 8.5.5.30 or 9.0.5.29 or later
If patching is not immediately feasible and mod_mem_cache is not required, disable the module as a temporary risk reduction measure
Monitor IBM support resources for additional guidance or interim fixes

Evidence notes

Vulnerability affects mod_mem_cache module specifically; other IBM HTTP Server configurations without this module enabled are not vulnerable. CPE data confirms affected version ranges: 8.5.0.0 through 8.5.5.29 and 9.0.0.0 through 9.0.5.28.

Official resources

CVE-2026-8854 CVE record
CVE.org
CVE-2026-8854 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Vendor Advisory

IBM PSIRT disclosed this vulnerability on 2026-05-26. The CVE was published and analyzed by NVD on the same date with a subsequent modification to the record on 2026-05-26. No known exploitation in ransomware campaigns has been reported.