SB2026042114 - Multiple vulnerabilities in IBM Storage Defender - Resiliency Service

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026042114

SB2026042114 - Multiple vulnerabilities in IBM Storage Defender - Resiliency Service

Published: April 21, 2026

Security Bulletin ID SB2026042114
Severity
Medium
Patch available
YES
Number of vulnerabilities 9
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 89% Low 11%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 9 secuirty vulnerabilities.


1) Cryptographic issues (CVE-ID: CVE-2025-69277)

The vulnerability allows a remote attacker to read or manipulate encrypted data.

The vulnerability exists due to an error within the ge25519_is_on_main_subgroup() function in src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c  in atypical use cases involving certain custom cryptography or untrusted data passed to crypto_core_ed25519_is_valid_point(). A remote attacker can read or manipulate encrypted data.


2) Improper input validation (CVE-ID: CVE-2026-21925)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the RMI component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


3) Improper input validation (CVE-ID: CVE-2026-21932)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the AWT, JavaFX component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.


4) Improper input validation (CVE-ID: CVE-2026-21933)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Networking component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


5) Improper input validation (CVE-ID: CVE-2026-21945)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.


6) Resource management error (CVE-ID: CVE-2026-25673)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application in django.forms.URLField when handling Unicode characters on Windows. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.


7) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2026-25674)

The vulnerability allows a local user to alter application behavior. 

The vulnerability exists due to incorrect permissions set for newly created directories. A local user can potentially write files into the directory before proper permissions are applied. 


8) Insufficient verification of data authenticity (CVE-ID: CVE-2026-26007)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve. A remote attacker can provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup.


9) Improper Handling of Windows Device Names (CVE-ID: CVE-2026-27199)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the "safe_join" function allows Windows device names as filenames if when preceded by other path segments. A remote attacker can cause reading of the file to hang indefinitely.


Remediation

Install update from vendor's website.

References