SB2026062322 - Multiple vulnerabilities in IBM DataStage on Cloud Pak for Data

Description

This security bulletin contains information about 8 vulnerabilities.

1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-33871)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to allocation of resources without limits or throttling in the "DefaultHttp2FrameReader" function within HTTP/2 server. A remote attacker can send a flood of CONTINUATION frames and cause a denial of service condition on the target system.

2) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-1525)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to smuggle HTTP requests.

The vulnerability exists due to inconsistent interpretation of HTTP requests in undici low-level HTTP request APIs when processing headers passed as flat arrays with case-variant duplicate Content-Length names. A remote attacker can supply specially crafted header arrays to smuggle HTTP requests.

Exploitation requires an intermediary and backend to interpret duplicate Content-Length headers inconsistently.

3) Improper handling of highly compressed data (CVE-ID: CVE-2026-1526)

CWE-ID: CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of highly compressed data in PerMessageDeflate.decompress() when decompressing incoming WebSocket frames negotiated with the permessage-deflate extension. A remote attacker can send a specially crafted compressed WebSocket frame to cause a denial of service.

Memory exhaustion occurs in native or external memory and can cause the Node.js process to crash or become unresponsive.

4) CRLF injection (CVE-ID: CVE-2026-1527)

CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to inject arbitrary HTTP headers and smuggle raw data to non-HTTP services.

The vulnerability exists due to improper neutralization of CRLF sequences in the upgrade option of client.request() when processing user-controlled input. A remote attacker can supply a specially crafted upgrade value to inject arbitrary HTTP headers and smuggle raw data to non-HTTP services.

User interaction is required because an application must pass user-controlled input to the upgrade option.

5) Improper Validation of Specified Quantity in Input (CVE-ID: CVE-2026-1528)

CWE-ID: CWE-1284 - Improper Validation of Specified Quantity in Input

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper validation of specified quantity in input in the ByteParser when processing a WebSocket frame with a 64-bit length field. A remote attacker can send an extremely large length value to cause a denial of service.

6) Improper Validation of Specified Quantity in Input (CVE-ID: CVE-2026-2229)

CWE-ID: CWE-1284 - Improper Validation of Specified Quantity in Input

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper validation of specified quantity in WebSocket client permessage-deflate handling when processing a server response containing an out-of-range server_max_window_bits value followed by a compressed frame. A remote attacker can send a crafted WebSocket handshake response and compressed frame to cause a denial of service.

The issue results in an uncaught synchronous RangeError exception that terminates the Node.js process.

7) Resource exhaustion (CVE-ID: CVE-2026-23490)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling RELATIVE-OID with excessive continuation octets. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

8) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-33870)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests within chunked transfer encoding extension values. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/7277383