SYS::ONLINE
Wasteland.
Briefs779
Issues14
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-8175 2026-05-27

CVE-2026-8175: Critical Buffer Overflow in IBM Aspera High-Speed Transfer

"A critical (CVSS 9.8) heap-based buffer overflow in the `asperahttpd` component of IBM Aspera High-Speed Transfer Endpoint and Server can be exploited remotely without authentication, potentially enabling denial of…"

A critical (CVSS 9.8) heap-based buffer overflow in the asperahttpd component of IBM Aspera High-Speed Transfer Endpoint and Server can be exploited remotely without authentication, potentially enabling denial of service, authentication bypass, or remote code execution.

What Is It

CVE-2026-8175 is a buffer overflow vulnerability (CWE-122: Heap-based Buffer Overflow) in the asperahttpd component used by IBM Aspera High-Speed Transfer products. According to IBM PSIRT, the flaw could be exploited to cause a denial of service and "potentially lead to authentication bypass or remote code execution."

The CVSS 3.1 vector, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, describes a network-reachable bug that requires no privileges and no user interaction, with high impact to confidentiality, integrity, and availability. That combination is what drives the 9.8 (CRITICAL) base score.

Why It Matters

Aspera is widely deployed for high-throughput file transfer across media, life sciences, government, and enterprise environments, frequently with its HTTP daemon exposed to facilitate transfer brokering. An unauthenticated, network-reachable memory corruption bug in that daemon is exactly the kind of pre-auth surface that maps cleanly to opportunistic mass exploitation if a working RCE primitive is developed.

The advisory explicitly chains the impact from DoS up to potential authentication bypass and RCE, meaning successful exploitation could allow an attacker to take over the transfer node entirely and pivot into data flows it brokers.

What's Vulnerable

Per the NVD record:

The affected code path is the asperahttpd component. No specific affected CPE list is enumerated in the current NVD entry, which remains in "Undergoing Analysis" status.

Patch Status

IBM has published a security bulletin at the reference URL below. There is no CISA KEV entry for CVE-2026-8175 at this time, meaning active in-the-wild exploitation has not been confirmed by CISA. Given the CVSS 9.8 rating and the pre-auth network reachability, operators of Aspera Endpoint and Server in the affected version range should consult the IBM advisory and apply the vendor-provided fix as the required remediation.

Sources