Denial of Service via XDF Decoder in IBM WebSphere Extreme Scale 8.6.1.08.6.1.6
CVE-2026-9002 Published on June 30, 2026
IBM WebSphere eXtremes Scale is affected by uncontrolled resource consumption when XDF is enabled
IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 could allow an adjacent attacker to cause a denial of service due to improper validation in the XDF decoder. The application processes deeply nested Protocol Buffers messages and attacker-controlled length prefixes without sufficient bounds checking, which may allow an attacker on the same network to trigger a StackOverflowError or OutOfMemoryError, resulting in a crash of the WebSphere Application Server JVM.
Vulnerability Analysis
Weakness Type
What is a Resource Exhaustion Vulnerability?
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CVE-2026-9002 has been classified to as a Resource Exhaustion vulnerability or weakness.
Products Associated with CVE-2026-9002
Want to know whenever a new CVE is published for IBM Websphere Extreme Scale? stack.watch will email you.
Affected Versions
IBM WebSphere Extreme Scale:- Version 8.6.1.0, <= 8.6.1.6 is affected.