SB2026040119 - Multiple vulnerabilities in IBM Maximo AI Service

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026040119

SB2026040119 - Multiple vulnerabilities in IBM Maximo AI Service

Published: April 1, 2026

Security Bulletin ID SB2026040119
Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Improper Handling of Windows Device Names (CVE-ID: CVE-2026-21860)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as CON.txt, or trailing spaces such as CON. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.

2) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-22701)

The vulnerability allows a local user to perform a denial of service attack.

The vulnerability exists due to a race condition in the SoftFileLock implementation of the filelock package. A local user can create a symbolic link to a critical file on the system between the permission validation and file creation to cause lock operations to fail or behave unexpectedly.


Remediation

Install update from vendor's website.

References