SB20260528254 - Multiple vulnerabilities in IBM SPSS Analytic Server

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260528254

SB20260528254 - Multiple vulnerabilities in IBM SPSS Analytic Server

Published: May 28, 2026

Security Bulletin ID SB20260528254
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 13
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 13 vulnerabilities.


1) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-42577)

CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to missing release of resource after effective lifetime in the Netty epoll transport when processing a TCP connection that receives a RST after being half-closed. A remote attacker can send a FIN followed by a RST to cause a denial of service.

Exploitation requires ALLOW_HALF_CLOSURE to be enabled or the connection to enter a half-closed state via the HTTP codec.


2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-42583)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in io.netty.handler.codec.compression.Lz4FrameDecoder#decode when processing crafted LZ4 frames. A remote attacker can send a specially crafted compressed frame header and payload to cause a denial of service.

On the compressed path, header fields are trusted for sizing, allowing a small request to force allocation of a much larger ByteBuf.


3) CRLF injection (CVE-ID: CVE-2026-41417)

CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject additional HTTP or RTSP requests.

The vulnerability exists due to improper neutralization of CRLF sequences in DefaultHttpRequest.setUri() and DefaultFullHttpRequest.setUri() when encoding attacker-controlled URIs into request lines through HttpRequestEncoder or RtspEncoder. A remote attacker can supply a specially crafted URI containing CRLF sequences to inject additional HTTP or RTSP requests.

Exploitation requires an application to create the request object first, later modify it through setUri(), and then serialize it with HttpRequestEncoder or RtspEncoder.


4) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-33871)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to allocation of resources without limits or throttling in the "DefaultHttp2FrameReader" function within HTTP/2 server. A remote attacker can send a flood of CONTINUATION frames and cause a denial of service condition on the target system.


5) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2025-58056)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP/1.1 requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.


6) Resource exhaustion (CVE-ID: CVE-2025-58057)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in BrotliDecoder and some other decompressing decoders. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


7) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-33870)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green


The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests within chunked transfer encoding extension values. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.


8) HTTP response splitting (CVE-ID: CVE-2026-42578)

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject arbitrary HTTP headers into CONNECT proxy requests.

The vulnerability exists due to improper neutralization of CRLF sequences in HTTP headers in io.netty.handler.proxy.HttpProxyHandler newInitialMessage() when handling user-influenced outbound headers. A remote attacker can supply crafted header values containing CRLF sequences to inject arbitrary HTTP headers into CONNECT proxy requests.

Exploitation requires an application to use HttpProxyHandler with user-influenced outboundHeaders without performing its own CRLF sanitization.


9) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-42580)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject arbitrary HTTP requests.

The vulnerability exists due to inconsistent interpretation of HTTP requests in io.netty.handler.codec.http.HttpObjectDecoder#getChunkSize when parsing chunked HTTP requests. A remote attacker can send a specially crafted chunked request to inject arbitrary HTTP requests.


10) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-42581)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform request smuggling.

The vulnerability exists due to improper input validation in HttpObjectDecoder when processing HTTP/1.0 requests containing both Transfer-Encoding: chunked and Content-Length headers. A remote attacker can send a specially crafted HTTP/1.0 request to perform request smuggling.

Exploitation requires Netty to be deployed behind a downstream proxy or handler that trusts Content-Length over Transfer-Encoding.


11) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-42584)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disrupt HTTP parsing integrity and availability on the connection.

The vulnerability exists due to inconsistent interpretation of HTTP responses in HttpClientCodec when processing pipelined HTTP/1.1 responses that include a 1xx response before a GET response body and a subsequent HEAD response. A remote attacker can send a specially crafted sequence of HTTP responses to disrupt HTTP parsing integrity and availability on the connection.

Exploitation requires HTTP/1.1 pipelining, a HEAD request in the pipeline, and a server response sequence that includes a 1xx response.


12) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-42585)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject arbitrary HTTP requests.

The vulnerability exists due to inconsistent interpretation of HTTP requests in HttpRequestDecoder when parsing malformed Transfer-Encoding headers. A remote attacker can send a specially crafted HTTP request with a malformed "Transfer-Encoding: chunked, identity" header to inject arbitrary HTTP requests.

Exploitation is possible in deployments where a proxy forwards such malformed requests to Netty instead of rejecting them.


13) Resource exhaustion (CVE-ID: CVE-2026-42587)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in HttpContentDecompressor and DelegatingDecompressorFrameListener when processing compressed HTTP request bodies with Content-Encoding set to br, zstd, or snappy. A remote attacker can send a specially crafted compressed payload to cause a denial of service.

The configured maxAllocation limit is enforced for gzip and deflate, but is silently ignored for brotli, zstd, and snappy. The issue affects both HTTP/1.1 and HTTP/2 handling.


Remediation

Install update from vendor's website.

References