SB2026042940 - Multiple vulnerabilities in IBM Watson Discovery Cartridge

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-2359)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to missing release of resource after effective lifetime in the file upload handling component when processing a file upload connection that is dropped prematurely. A remote attacker can drop the connection during file upload to cause a denial of service.

The issue can lead to resource exhaustion.

2) Incomplete cleanup (CVE-ID: CVE-2026-3304)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to incomplete cleanup in multer when handling malformed requests. A remote attacker can send malformed requests to cause a denial of service.

The issue may result in resource exhaustion.

3) Uncontrolled Recursion (CVE-ID: CVE-2026-3520)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled recursion in multer when handling malformed requests. A remote attacker can send a specially crafted request to cause a denial of service.

The issue may result in stack overflow.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/7271023