SB2026062509 - Multiple vulnerabilities in IBM Cloud Pak System



SB2026062509 - Multiple vulnerabilities in IBM Cloud Pak System

Published: June 25, 2026

Security Bulletin ID SB2026062509
CSH Severity
High
Patch available
YES
Number of vulnerabilities 26
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 8% Medium 46% Low 46%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 26 vulnerabilities.


1) NULL pointer dereference (CVE-ID: CVE-2026-22795)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when parsing PKCS#12 file. A remote attacker can pass a specially crafted PKCS#12 file to the application and perform a denial of service (DoS) attack.


2) NULL pointer dereference (CVE-ID: CVE-2025-69421)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the PKCS12_item_decrypt_d2i_ex function. A remote attacker can pass a specially crafted PKCS#12 file to the application and perform a denial of service (DoS) attack.


3) NULL pointer dereference (CVE-ID: CVE-2026-28389)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to NULL pointer dereference in CMS KeyAgreeRecipientInfo processing when processing a crafted CMS EnvelopedData message with a missing optional parameters field. A remote attacker can send a crafted CMS message to cause a denial of service.

Applications and services that call CMS_decrypt() on untrusted input, such as S/MIME processing or CMS-based protocols, are affected.


4) NULL pointer dereference (CVE-ID: CVE-2026-28388)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to NULL pointer dereference in delta CRL processing during X.509 certificate verification when processing a malformed delta CRL that contains a Delta CRL Indicator extension but lacks a CRL Number extension. A remote attacker can provide a malformed CRL to cause a denial of service.

Exploitation requires delta CRL processing to be enabled in the verification context and the certificate or base CRL to indicate freshest CRL processing.


5) Use-after-free (CVE-ID: CVE-2026-28387)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to use-after-free in DANE client code when processing server DANE TLSA records during TLSA-based server authentication. A remote attacker can provide crafted TLSA records to execute arbitrary code.

The issue only affects clients that use both PKIX-TA(0) or PKIX-EE(1) certificate usages together with the DANE-TA(2) certificate usage, and the server must publish a TLSA RRset containing both record types.


6) Covert Timing Channel (CVE-ID: CVE-2025-9231)

CWE-ID: CWE-385 - Covert Timing Channel

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to timing side-channel in SM2 signature computations on 64 bit ARM platforms. A remote attacker can recover the private key and decrypt data.


7) Improper Neutralization of Null Byte or NUL Character (CVE-ID: CVE-2025-61985)

CWE-ID: CWE-158 - Improper Neutralization of Null Byte or NUL Character

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to execute arbitrary OS commands on the system.

The vulnerability exists due to incorrect handling of the nullbyte character in an ssh:// URI if a ProxyCommand that uses the %r expansion was configured. A remote attacker can trick the victim into using a specially crafted ssh command to connect to a remote server and execute arbitrary OS commands on the system.

This vulnerability affects ssh client command and does not affect the sshd daemon. 


8) OS Command Injection (CVE-ID: CVE-2025-61984)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper validation of control characters in usernames obtained from an untrusted source (such as command line and %-sequence expansion of a configuration file). A remote attacker can trick the victim into initiating an ssh connection using a specially crafted configuration file and execute arbitrary shell commands on the system. 

This vulnerability affects ssh client command and does not affect the sshd daemon. 


9) Stack-based buffer overflow (CVE-ID: CVE-2025-15467)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters. A remote attacker can supply a specially crafted CMS message with an oversized IV, trigger a stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


10) Out-of-bounds write (CVE-ID: CVE-2024-9143)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when using the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial. A remote attacker can send specially crafted input to the server, trigger an out-of-bounds write and perform a denial of service (DoS) attack.

Note, the vulnerability can be exploited against the application in rare cases only that involve "exotic" curve encoding.


11) Type Confusion (CVE-ID: CVE-2025-69420)

CWE-ID: CWE-843 - Type confusion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a type confusion error within the TS_RESP_verify_response() function when handling ASN1_TYPE data.. A remote attacker can pass a malformed TimeStamp Response to the application and perform a denial of service attack.


12) Type confusion (CVE-ID: CVE-2026-22796)

CWE-ID: CWE-843 - Type confusion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a type confusion error within the PKCS7_digest_from_attributes() function. A remote attacker can pass specially crafted PKCS#7 data to the application, trigger a type confusion error and perform a denial of service attack.


13) Unchecked Return Value (CVE-ID: CVE-2026-31790)

CWE-ID: CWE-252 - Unchecked Return Value

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to incorrect failure handling in RSA KEM RSASVE encapsulation when processing an attacker-supplied invalid RSA public key with EVP_PKEY_encapsulate(). A remote attacker can supply an invalid RSA public key to disclose sensitive information.

The issue affects applications using RSA/RSASVE encapsulation without validating the supplied public key first.


14) Out-of-bounds write (CVE-ID: CVE-2025-69419)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a boundary error within the PKCS12_get_friendlyname() function when parsing PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point. A remote attacker can pass a specially crafted PKCS#12 file to the application, trigger an out-of-bounds write and perform a denial of service attack.


15) Heap-based buffer overflow (CVE-ID: CVE-2026-31789)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to heap-based buffer overflow in hexadecimal conversion when converting an excessively large OCTET STRING value from an untrusted X.509 certificate to a hexadecimal string on 32-bit platforms. A remote attacker can supply a crafted X.509 certificate to execute arbitrary code.

Only 32-bit platforms are affected, and exploitation requires printing or logging untrusted X.509 certificates containing an OCTET STRING value larger than 1 gigabyte.


16) Cleartext transmission of sensitive information (CVE-ID: CVE-2025-69418)

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the trailing 1-15 bytes of a message may be exposed in cleartext on encryption and are not covered by the authentication tag. When using the low-level OCB API directly with AES-NI or other hardware-accelerated code paths, inputs whose length is not a multiple of 16 bytes can leave the final partial block unencrypted and unauthenticated. A remote attacker can intercept traffic and gain access to potentially sensitive information. 


17) Out-of-bounds write (CVE-ID: CVE-2025-68160)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a boundary error within the BIO filter (BIO_f_linebuffer). A remote attacker can pass an overly long string to the application, trigger an out-of-bounds write and perform a denial of service attack.


18) Resource exhaustion (CVE-ID: CVE-2025-66199)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in CompressedCertificate. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

This issue only affects builds where TLS 1.3 certificate compression is compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression algorithm (brotli, zlib, or zstd) is available, and where the compression extension is negotiated. Both clients receiving a server CompressedCertificate and servers in mutual TLS scenarios receiving a client CompressedCertificate are affected. 

Servers that do not request client certificates are not vulnerable to client-initiated attacks.


19) Numeric Truncation Error (CVE-ID: CVE-2025-15469)

CWE-ID: CWE-197 - Numeric Truncation Error

CVSSv4: CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to "openssl dgst" one-shot codepath silently truncates inputs larger than 16MB. A remote attacker can spoof contents of the signed message. 

Note, the issue affects only the command-line tool behavior.


20) NULL pointer dereference (CVE-ID: CVE-2025-15468)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the SSL_CIPHER_find() function. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.


21) Input validation error (CVE-ID: CVE-2025-66200)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input when parsing the RequestHeader directive in .htaccess files. A local user can bypass mod_userdir+suexec security measures via AllowOverride FileInfo and run certain CGI scripts under an unexpected userid.


22) Code injection (CVE-ID: CVE-2025-65082)

CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv4: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to affect web server behavior. 

The vulnerability exists due to improper input validation when handling environment variables set via the Apache configuration. A local user can set specially crafted values that supersede variables calculated by the server for CGI programs.


23) Improper Neutralization of Server-Side Includes (SSI) Within a Web Page (CVE-ID: CVE-2025-58098)

CWE-ID: CWE-97 - Improper Neutralization of Server-Side Includes (SSI) Within a Web Page

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear


The vulnerability allows a remote attacker to execute arbitrary commands.

The vulnerability exists due to insufficient input validation with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi). The web server passes the shell-escaped query string to #exec cmd="..." directives. A remote attacker can send a specially crafted HTTP request to the server and potentially execute arbitrary code.


24) Integer overflow (CVE-ID: CVE-2025-55753)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to an integer overflow in mod_md (ACME) in the case of failed ACME certificate renewal. The web server will set the backoff timer becoming 0 after a number of failures (~30 days in default configurations), leading to a denial of service condition.


25) Out-of-bounds write (CVE-ID: CVE-2025-9230)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when trying to decrypt CMS messages encrypted using password based encryption. A remote attacker can trigger an out-of-bounds write and execute arbitrary code on the target system.

Successful exploitation of the vulnerability requires that password based (PWRI) encryption support in CMS messages is enabled. 


26) NULL pointer dereference (CVE-ID: CVE-2026-28390)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to NULL pointer dereference in CMS KeyTransportRecipientInfo processing when processing a crafted CMS EnvelopedData message using RSA-OAEP with a missing optional parameters field. A remote attacker can send a crafted CMS message to cause a denial of service.

Applications and services that call CMS_decrypt() on untrusted input, such as S/MIME processing or CMS-based protocols, are affected.


Remediation

Install update from vendor's website.