CVE-2026-8855
Description
IBM HTTP Server 8.5, and 9.0 is vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication (client authentication).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
IBM HTTP Server 8.5 and 9.0 with TLS mutual authentication enabled are vulnerable to remote code execution and denial of service via code injection (CWE-94).
Vulnerability
A code injection vulnerability (CWE-94) exists in IBM HTTP Server versions 8.5 and 9.0 when TLS mutual authentication (client authentication) is enabled [1]. An attacker can craft a malicious TLS handshake that triggers improper control of code generation, leading to arbitrary code execution or denial of service [1]. Vulnerable versions include all releases of the 8.5.x and 9.0.x lines, specifically those using client certificate authentication in the TLS/SSL configuration [1].
Exploitation
An attacker must be able to establish a TLS connection to a server where TLS mutual authentication is required [1]. No prior authentication or user interaction is needed. The attack is network-based but requires high attack complexity due to the need to craft a specific malicious certificate or handshake that bypasses the client certificate validation logic [1]. Once the connection is accepted, the attacker sends a specially crafted payload that exploits the code injection flaw, leading to remote code execution [1]. The CVSS vector (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) confirms the network attack vector and high complexity [1].
Impact
Successful exploitation allows the attacker to execute arbitrary code with the privileges of the HTTP Server process (typically a low-privileged service account) [1]. This can lead to full compromise of the confidentiality, integrity, and availability of the affected server, as well as potential lateral movement within the network [1]. The same vulnerability can also be leveraged to cause a denial of service (system crash or service hang) without code execution [1]. The impact is rated as high severity with CVSS base score 8.1 [1].
Mitigation
IBM has provided a security fix via IBM HTTP Server Fix Pack 9.0.5.22 and Fix Pack 8.5.5.27, released on 2026-05-26 [1]. Administrators should apply the appropriate fix pack for their version as soon as possible [1]. Until patching, the only workaround is to disable TLS mutual authentication if it can be avoided; however, this may break required client certificate verification [1]. No other mitigation is available [1]. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: 8.5, 9.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- www.ibm.com/support/pages/node/7274065nvdVendor Advisory
News mentions
0No linked articles in our index yet.