VYPR
← All advisories
Medium severity4.8NVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-4410

CVE-2026-4410

Description

IBM WebSphere Application Server - Liberty 19.0.0.7 through 26.0.0.5 and IBM WebSphere Application Server 9.0, and 8.5 and WebSphere Application Server Liberty are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

IBM WebSphere Application Server (Liberty 19.0.0.7-26.0.0.5, traditional 8.5/9.0) is vulnerable to denial of service via specially-crafted request when sipServlet-1.1 feature is enabled.

Vulnerability

IBM WebSphere Application Server - Liberty versions 19.0.0.7 through 26.0.0.5 with the sipServlet-1.1 feature enabled, and IBM WebSphere Application Server traditional versions 8.5 and 9.0, are vulnerable to a denial of service caused by sending a specially-crafted request. The vulnerability leads to excessive memory consumption [1].

Exploitation

An attacker with network access to the affected server (adjacent network per CVSS vector) and low privileges can exploit this vulnerability by sending a specially-crafted request. No user interaction is required. The request triggers memory exhaustion on the server [1].

Impact

Successful exploitation results in a denial of service due to memory resource exhaustion, impacting availability. There is no impact on confidentiality or integrity. The CVSS v3 base score is 4.8 [1].

Mitigation

IBM recommends applying an interim fix for APAR PH70807 (Liberty) or PH70616 (traditional) or upgrading to fix pack 26.0.0.6 (Liberty) or 9.0.5.28 (traditional), targeted for availability in 2Q2026. As a workaround, disabling the sipServlet-1.1 feature if not required can mitigate the vulnerability [1].

References
  1. Security Bulletin: IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by a denial of service (CVE-2026-4410)

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.