IBM SDK, Java Technology Edition denial of service
Description
IBM SDK Java Technology Edition ORB 7.1.0.0-7.1.5.21 and 8.0.0.0-8.0.8.21 allows denial of service via improper enforcement of JEP 290 MaxRef and MaxDepth deserialization filters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
IBM SDK Java Technology Edition ORB 7.1.0.0-7.1.5.21 and 8.0.0.0-8.0.8.21 allows denial of service via improper enforcement of JEP 290 MaxRef and MaxDepth deserialization filters.
Vulnerability
A denial-of-service vulnerability exists in the IBM SDK, Java Technology Edition's Object Request Broker (ORB) component. Affected versions include 7.1.0.0 through 7.1.5.21 and 8.0.0.0 through 8.0.8.21. The issue arises from improper enforcement of the JEP 290 MaxRef and MaxDepth deserialization filters, which can be bypassed under certain circumstances.
Exploitation
An attacker can trigger the vulnerability by sending specially crafted serialized data to a vulnerable ORB endpoint. The attacker does not require authentication, but successful exploitation depends on the ORB accepting and deserializing the malicious data. The precise sequence involves sending a serialized object that exceeds the intended filter limits, leading to resource exhaustion.
Impact
Successful exploitation results in a denial of service (DoS) condition, as the ORB may consume excessive memory or CPU resources, causing the Java application to become unresponsive or crash. The impact is limited to availability, with no confidentiality or integrity compromise.
Mitigation
IBM has addressed this vulnerability in the April 2024 Critical Patch Update (CPU). Users should upgrade to the latest fix levels for their SDK versions. For version 7.1, apply 7.1.5.22 or later; for version 8.0, apply 8.0.8.22 or later. There is no known workaround; applying the fix is recommended. Refer to IBM Security Bulletin 7150727 [1] for details.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
19>=7.1.0.0 <=7.1.5.21 or >=8.0.0.0 <=8.0.8.21+ 1 more
- (no CPE)range: >=7.1.0.0 <=7.1.5.21 or >=8.0.0.0 <=8.0.8.21
- (no CPE)range: 7.1.0.0
- osv-coords17 versionspkg:rpm/opensuse/java-1_8_0-ibm&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/java-1_8_0-ibm&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/java-1_8_0-ibm&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/java-1_8_0-ibm&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/java-1_8_0-ibm&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/java-1_8_0-ibm&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/java-1_8_0-ibm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Legacy%2015%20SP5pkg:rpm/suse/java-1_8_0-ibm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Legacy%2015%20SP6pkg:rpm/suse/java-1_8_0-ibm&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/java-1_8_0-ibm&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/java-1_8_0-ibm&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/java-1_8_0-ibm&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/java-1_8_0-ibm&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/java-1_8_0-ibm&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/java-1_8_0-ibm&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/java-1_8_0-ibm&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/java-1_8_0-ibm&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5
< 1.8.0_sr8.25-150000.3.89.1+ 16 more
- (no CPE)range: < 1.8.0_sr8.25-150000.3.89.1
- (no CPE)range: < 1.8.0_sr8.25-150000.3.89.1
- (no CPE)range: < 1.8.0_sr8.25-150000.3.89.1
- (no CPE)range: < 1.8.0_sr8.25-150000.3.89.1
- (no CPE)range: < 1.8.0_sr8.25-150000.3.89.1
- (no CPE)range: < 1.8.0_sr8.25-150000.3.89.1
- (no CPE)range: < 1.8.0_sr8.25-150000.3.89.1
- (no CPE)range: < 1.8.0_sr8.25-150000.3.89.1
- (no CPE)range: < 1.8.0_sr8.25-30.123.1
- (no CPE)range: < 1.8.0_sr8.25-150000.3.89.1
- (no CPE)range: < 1.8.0_sr8.25-150000.3.89.1
- (no CPE)range: < 1.8.0_sr8.25-150000.3.89.1
- (no CPE)range: < 1.8.0_sr8.25-30.123.1
- (no CPE)range: < 1.8.0_sr8.25-150000.3.89.1
- (no CPE)range: < 1.8.0_sr8.25-150000.3.89.1
- (no CPE)range: < 1.8.0_sr8.25-150000.3.89.1
- (no CPE)range: < 1.8.0_sr8.25-30.123.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- www.ibm.com/support/pages/node/7150727mitrevendor-advisory
- exchange.xforce.ibmcloud.com/vulnerabilities/260578mitrevdb-entry
News mentions
0No linked articles in our index yet.