CVE-2026-8175

Vulnerability

IBM Aspera High-Speed Transfer Endpoint and High-Speed Transfer Server versions 3.7.4 through 4.4.7 Fix Pack 1 are affected by a heap-based buffer overflow (CWE-122) in the asperahttpd component [1]. The vulnerability exists in how the HTTP daemon handles certain network requests, allowing an attacker to corrupt heap memory when processing malformed or oversized input. No special configuration is required; the default installation is exposed over the network. The fixed version is 4.4.7 Fix Pack 2.

Exploitation

An unauthenticated attacker can exploit this vulnerability remotely by sending a specially crafted network request to the asperahttpd service over TCP, typically on port 443 or 9091 depending on deployment [1]. The attacker does not need valid credentials or prior access. The heap overflow is triggered when the malformed input is read and copied into a fixed-size heap buffer, allowing control of adjacent memory. No user interaction is required, and the attack complexity is low.

Impact

Successful exploitation could cause a denial of service via crash or hang of the asperahttpd process [1]. More critically, the heap corruption may be leveraged to bypass authentication or achieve remote code execution (RCE) at the privilege level of the asperahttpd process, which typically runs as a non-root user but with access to transfer data. In the worst case, this gives the attacker complete control over affected files and the ability to move laterally within the environment.

Mitigation

IBM released version 4.4.7 Fix Pack 2 on 2026-05-27 to address the buffer overflow [1]. Users must upgrade both the Endpoint and Server components to the fixed version. There are no effective workarounds that close the attack surface without stopping the Aspera transfer services, as the vulnerability is in the core HTTP listener. Users of versions older than 4.4.7 should upgrade to a supported release. This CVE is not currently listed in CISA's Known Exploited Vulnerabilities catalog.