CVE-2026-8856

Vulnerability

IBM HTTP Server versions 8.5 and 9.0 are vulnerable to denial of service via the optional module mod_ibm_upload. The bug is a NULL pointer dereference (CWE-476) reachable when an attacker has write access to parts of the server configuration. The affected module is not enabled by default, but can be activated in configurations where the attacker can modify server settings.

Exploitation

An attacker needs write access to the server configuration (e.g., via the Administration Server or file system). With that privilege, they can enable mod_ibm_upload and trigger the NULL pointer dereference by sending a crafted HTTP request. No authentication or network position beyond local or adjacent access is required; the attack is low complexity and requires no user interaction.

Impact

Successful exploitation causes a denial of service (availability loss, CVSS 7.5). No information disclosure or code execution occurs; the impact is limited to service disruption.

Mitigation

IBM has not disclosed a fix as of the publication date. Workarounds include disabling mod_ibm_upload if not needed, or restricting write access to server configuration to trusted administrators only. The vulnerability is not listed in KEV. Users should monitor IBM security bulletins for future patches.

References

[1] https://www.ibm.com/support/pages/node/7274065 — IBM HTTP Server multiple vulnerabilities bulletin.