SB2026031026 - Multiple vulnerabilities in IBM Engineering Lifecycle Management on Hybrid Cloud
Published: March 10, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 22 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2025-47912)
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists in net/url due to the Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. A remote attacker can abuse such behavior to perform spoofing attacks.
2) Information disclosure (CVE-ID: CVE-2025-4673)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to sensitive Proxy-Authorization and Proxy-Authenticate headers are not cleared on cross-origin redirect in net/http. A remote attacker can gain access to credentials passed via these headers.
3) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-58186)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in net/http due to the application does not limit the number of cookies sent in the request. A remote attacker can send a lot of very small cookies such as "a=;" and cause large memory consumption.
4) Heap-based buffer overflow (CVE-ID: CVE-2025-65018)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the png_image_finish_read() function when processing 16-bit interlaced PNGs with 8-bit output format. A remote attacker can pass a specially crafted image file to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
5) Out-of-bounds read (CVE-ID: CVE-2025-66293)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the png_image_read_composite() function. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
6) Out-of-bounds read (CVE-ID: CVE-2025-64720)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the png_image_read_composite() function when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. A remote attacker can pass a specially crafted image file to the application, trigger an out-of-bounds read error and read contents of memory on the system.
7) Resource exhaustion (CVE-ID: CVE-2025-61724)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in net/textproto due to the Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. A remote attacker can trigger excessive CPU consumption and perform a denial of service (DoS) attack.
8) Out-of-bounds write (CVE-ID: CVE-2025-9230)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when trying to decrypt CMS messages encrypted using password based encryption. A remote attacker can trigger an out-of-bounds write and execute arbitrary code on the target system.
Successful exploitation of the vulnerability requires that password based (PWRI) encryption support in CMS messages is enabled.
9) Input validation error (CVE-ID: CVE-2025-47906)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient validation of the PATH environment variable in LookPath. A local user can pass specially crafted strings to the application and execute arbitrary OS commands with elevated privileges.
10) Resource exhaustion (CVE-ID: CVE-2025-58185)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in encoding/asn1 due to application does not properly control consumption of internal resources when parsing DER payloads. A remote attacker can trigger memory exhaustion and perform a denial of service (DoS) attack.
11) Resource exhaustion (CVE-ID: CVE-2025-61723)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in encoding/pem due to application does not properly control consumption of internal resources when parsing untrusted PEM input. A remote attacker can trigger CPU exhaustion and perform a denial of service (DoS) attack.
12) Heap-based buffer overflow (CVE-ID: CVE-2023-42366)
The vulnerability allows a remote attacker to crash the application.
The vulnerability exists due to a boundary error within the next_token() function at awk.c. A remote attacker can trick the victim to pass a specially crafted file, trigger a heap-based buffer overflow and perform a denial of service (DoS) attack.
13) Use-after-free (CVE-ID: CVE-2023-42365)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error within the copyvar() function in awk.c. A remote attacker can trick the victim to pass a specially crafted awk pattern to the application and crash it.
14) Use-after-free (CVE-ID: CVE-2023-42363)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
15) Out-of-bounds write (CVE-ID: CVE-2022-48174)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input ash.c. A remote attacker can send specially crafted data to the application, trigger an out-of-bounds write and execute arbitrary code on the target system.
16) Use-after-free (CVE-ID: CVE-2023-42364)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
17) Resource exhaustion (CVE-ID: CVE-2025-58183)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in archive/tar due to the tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A remote attacker can pass a specially crafted archive to the application and perform a denial of service (DoS) attack.
18) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-13281)
The disclosed vulnerability allows a remote user to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input in kube-controller-manager when using the in-tree Portworx StorageClass. A remote user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
19) Incorrect authorization (CVE-ID: CVE-2025-5187)
The vulnerability allows a node user to escalate privileges on the system.
The vulnerability exists due to incorrect authorization in the NodeRestriction admission controller. A node user can delete and then recreate its node object with modified taints or labels.
20) Improper Authorization (CVE-ID: CVE-2025-4563)
The vulnerability allows a malicious node to bypass dynamic resource allocation authorization checks.
The vulnerability exists due to missing authorization checks in DynamicResourceAllocation feature gate within the NodeRestriction admission controller. A malicious node can create mirror pods that access unauthorized dynamic resources, leading to denial of service or potential privilege escalation.
21) Resource exhaustion (CVE-ID: CVE-2025-64329)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists in CRI Attach implementation due to goroutine leaks. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack against the host.
22) Incorrect default permissions (CVE-ID: CVE-2024-25621)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions set for critical files, such as /var/lib/containerd (0711 instead of 0700), /run/containerd/io.containerd.grpc.v1.cri (0755 instead of 0700), and /run/containerd/io.containerd.sandbox.controller.v1.shim (0711 instead of 0700) and for the temp directory. A local user can escalate privileges on the system.
Remediation
Install update from vendor's website.