IBM HTTP Server 8.5 and 9.0 contain a resource-exhaustion flaw (CWE-400) that lets an attacker with write access to portions of the server configuration trigger denial of service and integrity impact.
What Is It
CVE-2026-8856 is a denial-of-service vulnerability in IBM HTTP Server, disclosed by IBM PSIRT and published on 2026-05-26. The flaw is classified as CWE-400 (Uncontrolled Resource Consumption) and arises in deployments where an attacker has write access to parts of the server configuration. Successful abuse degrades availability and impacts integrity of the running web server.
Why It Matters
NVD assigns the issue a Primary CVSS 3.1 base score of 9.1 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H, reflecting a network-reachable, no-privileges, no-user-interaction path with high integrity and availability impact. IBM's own Secondary scoring rates the issue 7.7 (HIGH) with a local attack vector (AV:L), reflecting the prerequisite of write access to configuration. Either way, the impact on a successful attack is severe: a degraded or unavailable HTTP front door for whatever application sits behind it. There is no CISA KEV entry for this CVE at the time of writing, so active exploitation is not currently confirmed by CISA.
What's Vulnerable
Per the NVD CPE configuration, vulnerable products are:
- IBM HTTP Server 8.5: versions
8.5.0.0up to (but not including)8.5.5.30 - IBM HTTP Server 9.0: versions
9.0.0.0up to (but not including)9.0.5.29
Affected deployments span AIX, z/OS, Linux, and Windows host operating systems.
Patch Status
The fix is delivered in IBM HTTP Server 8.5.5.30 and 9.0.5.29. Administrators should upgrade to those fix-pack levels per IBM's advisory. As a compensating control, restrict and audit write permissions on the IBM HTTP Server configuration files and directories, since the vulnerability requires an attacker to have write access to parts of the server configuration.