CVE-2026-7254

Vulnerability

The vulnerability exists in the OpenBMC HTTPS service of IBM Power Systems running firmware versions FW1110.00 through FW1110.11. It is due to improper validation of specified quantity in input (CWE-1284), allowing unauthenticated network users to cause a denial of service. [1]

Exploitation

An attacker can exploit this vulnerability by sending specially crafted HTTPS requests to the BMC's network interface without requiring any authentication. The attack is network-based (AV:N) with low complexity (AC:L) and no user interaction (UI:N). [1]

Impact

Successful exploitation leads to denial of service, rendering the BMC unresponsive and impacting system management capabilities. The CVSS v3.1 base score is 5.3 (Medium), with a vector of (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating low availability impact and no confidentiality or integrity impact. [1]

Mitigation

To remediate this vulnerability, IBM recommends installing firmware version FW1110.20 (1110_130) or newer. As a workaround, organizations should protect access to the BMC's network interface by restricting network access to trusted systems only. [1]