CVE-2026-8835

Vulnerability

IBM HTTP Server versions 8.5 and 9.0 are vulnerable to an invalid pointer dereference (CWE-822). This occurs when a privileged user authenticated to the Administration Server interacts with the server. The vulnerability is present in the Administration Server component. [1]

Exploitation

To exploit this vulnerability, an attacker must be a privileged user with authentication to the Administration Server. The attack vector is adjacent network (AV:A), requiring low complexity and no user interaction. The attacker can send crafted requests to trigger the invalid pointer dereference. [1]

Impact

Successful exploitation can lead to exposure of sensitive information (confidentiality impact: high) and denial of service (availability impact: high). There is no integrity impact. The attack achieves high confidentiality and availability compromise without requiring elevated privileges beyond the initial authentication. [1]

Mitigation

IBM has released security updates for IBM HTTP Server. Customers are advised to apply the fixes as specified in the security bulletin [1]. As a workaround, restrict access to the Administration Server to trusted users.