CVE-2026-6936

Vulnerability

IBM i versions 7.3, 7.4, 7.5, and 7.6 are affected by an uncontrolled recursion vulnerability (CWE-674) in the Integrated Language Environment (ILE) compiler [1]. The bug is triggered when an authenticated attacker compiles specially crafted source code containing a specific combination of statements. The affected product feature or license program is 5770-999 across all listed versions [1].

Exploitation

An attacker must have valid authentication credentials for the IBM i system. No special network position beyond the ability to compile source code is required; the CVSS vector indicates network-accessible attack surface with low complexity and no user interaction (AV:N/AC:L/PR:L/UI:N) [1]. Once authenticated, the attacker compiles the malicious source code, which causes the ILE compiler to enter deep recursion, exhausting system resources.

Impact

Successful exploitation leads to a denial-of-service condition. The CVSSv3 score is 6.5 (medium) with impact scope unchanged, and confidentiality and integrity are not affected (C:N/I:N/A:H) [1]. The target system becomes unavailable for legitimate compilation tasks or other services due to resource exhaustion.

Mitigation

IBM’s security bulletin (13 May 2026) does not provide a fix or workaround; the Workarounds and Mitigations section states "None" [1]. Administrators should monitor IBM support pages for a future PTF (Program Temporary Fix) for the affected 5770-999 feature code. Restrict compilation privileges to trusted users only until a patch is released. No known exploitation in the wild has been reported in the available references.