CVE-2026-8852

Vulnerability

IBM HTTP Server versions 8.5 and 9.0 are vulnerable to denial of service via the optional mod_fastcgi module. The vulnerability is a reachable assertion (CWE-617) that can be triggered when the module processes a FastCGI request in a specific way. This affects systems where the mod_fastcgi module is enabled. The official security bulletin [1] lists this as CVE-2026-8852.

Exploitation

An attacker can exploit this vulnerability without authentication and with local access (CVSS v3.1 vector: AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The attacker does not need any privileges. The attack complexity is low, meaning no special conditions are required. The attacker simply needs to send a specially crafted request to the FastCGI handler to trigger the reachable assertion, causing the server to crash or become unresponsive.

Impact

Successful exploitation results in a denial of service (DoS) condition. The attacker can cause the HTTP server to crash, making the web service unavailable to legitimate users. There is no impact on confidentiality or integrity; the attack only affects availability.

Mitigation

IBM has addressed this vulnerability in an update. According to the security bulletin [1], the fix is included in IBM HTTP Server updates available at the time of the bulletin. Users should apply the security fix provided by IBM for their respective version (8.5 or 9.0). Restricting local access to the server and disabling the mod_fastcgi module if not required can serve as workarounds. There is no indication that this vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.