{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-9002","assignerOrgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","state":"PUBLISHED","assignerShortName":"ibm","dateReserved":"2026-05-19T13:37:18.171Z","datePublished":"2026-06-30T19:08:43.309Z","dateUpdated":"2026-06-30T19:30:30.663Z"},"containers":{"cna":{"providerMetadata":{"orgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","shortName":"ibm","dateUpdated":"2026-06-30T19:08:43.309Z"},"title":"IBM WebSphere eXtremes Scale is affected by uncontrolled resource consumption when XDF is enabled","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-400","description":"CWE-400 Uncontrolled Resource Consumption","type":"CWE"}]}],"affected":[{"vendor":"IBM","product":"WebSphere Extreme Scale","versions":[{"status":"affected","version":"8.6.1.0","lessThanOrEqual":"8.6.1.6","versionType":"semver"}],"cpes":["cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.0:*:*:*:*:*:*:*","cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.6:*:*:*:*:*:*:*"]}],"descriptions":[{"lang":"en","value":"IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 could allow an adjacent attacker to cause a denial of service due to improper validation in the XDF decoder. The application processes deeply nested Protocol Buffers messages and attacker-controlled length prefixes without sufficient bounds checking, which may allow an attacker on the same network to trigger a StackOverflowError or OutOfMemoryError, resulting in a crash of the WebSphere Application Server JVM.","supportingMedia":[{"type":"text/html","base64":false,"value":"<p>IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 could allow an adjacent attacker to cause a denial of service due to improper validation in the XDF decoder. The application processes deeply nested Protocol Buffers messages and attacker-controlled length prefixes without sufficient bounds checking, which may allow an attacker on the same network to trigger a StackOverflowError or OutOfMemoryError, resulting in a crash of the WebSphere Application Server JVM.</p>"}]}],"references":[{"url":"https://www.ibm.com/support/pages/node/7278346","tags":["vendor-advisory","patch"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseSeverity":"MEDIUM","baseScore":6.5,"vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}],"solutions":[{"lang":"en","value":"ProductVersion(s)APARRemediation/First FixIBM WebSphere eXtreme Scale8.6.1.0 - 8.6.1.6PH71946 \n\nFor older versions, upgrade to latest fixpack 8.6.1.6 and then apply the PH71946 iFix. If you are using 8.6.1.6  directly apply the PH71946 iFix.\n\n\n\n Recommended Fixes page for WebSphere eXtreme Scale http://www.ibm.com/support/docview.wss","supportingMedia":[{"type":"text/html","base64":false,"value":"<div><table><tbody><tr><td>Product</td><td>Version(s)</td><td>APAR</td><td>Remediation/First Fix</td></tr><tr><td>IBM WebSphere eXtreme Scale</td><td>8.6.1.0 - 8.6.1.6</td><td>PH71946 </td><td><p>For older versions, upgrade to latest fixpack 8.6.1.6 and then apply the PH71946 iFix. If you are using 8.6.1.6  directly apply the PH71946 iFix.</p><p><a href=\"http://www.ibm.com/support/docview.wss?uid=swg27018991\" rel=\"nofollow\">Recommended Fixes page for WebSphere eXtreme Scale</a></p></td></tr></tbody></table></div>"}]}],"x_generator":{"engine":"ibm-cvegen"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-30T19:30:23.440960Z","id":"CVE-2026-9002","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-30T19:30:30.663Z"}}]}}