SB20260626101 - Multiple vulnerabilities in IBM SPSS Analytic Server
Published: June 26, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 12 vulnerabilities.
1) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-45536)
CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper resource shutdown in netty_unix_socket_recvFd when receiving SCM_RIGHTS control messages containing two file descriptors over a unix domain socket. A remote attacker can send a specially crafted message to cause a denial of service.
The issue is reachable via Epoll/KQueue DomainSocketChannel only when the application enables DomainSocketReadMode.FILE_DESCRIPTORS.
2) Incorrect Comparison (CVE-ID: CVE-2026-44249)
CWE-ID: CWE-697 - Incorrect Comparison
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass IPv6 subnet access controls.
The vulnerability exists due to incorrect comparison in IpSubnetFilterRule.compareTo() when evaluating IPv6 subnet rules. A remote attacker can use a valid public IP address to bypass IPv6 subnet access controls.
The issue is caused by applying a bitwise AND operation to the configured networkAddress instead of the subnetMask.
3) Generation of Predictable Numbers or Identifiers (CVE-ID: CVE-2026-45673)
CWE-ID: CWE-340 - Generation of Predictable Numbers or Identifiers
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to poison the DNS cache.
The vulnerability exists due to generation of predictable numbers or identifiers in the Netty DNS resolver when generating DNS transaction IDs and using the default static UDP source port for DNS queries. A remote attacker can spoof DNS responses to poison the DNS cache.
Successful exploitation may cause downstream applications to connect to malicious IP addresses, enabling traffic interception or machine-in-the-middle attacks.
4) Insufficient verification of data authenticity (CVE-ID: CVE-2026-45674)
CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to poison the DNS cache.
The vulnerability exists due to insufficient verification of data authenticity in DnsResolveContext buildAliasMap when processing CNAME records in DNS responses. A remote attacker can send a malicious DNS response containing out-of-bailiwick CNAME records to poison the DNS cache.
Any application using Netty's DNS resolver is impacted.
5) Insufficient verification of data authenticity (CVE-ID: CVE-2026-47691)
CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to poison the DNS cache.
The vulnerability exists due to insufficient verification of data authenticity in the DnsResolveContext.AuthoritativeNameServerList handling of NS records when processing DNS responses containing NS records in the AUTHORITY section and A records in the ADDITIONAL section. A remote attacker can provide crafted DNS records to poison the DNS cache.
Exploitation requires control of an authoritative name server for a subdomain, and the poisoned cache can affect future resolutions under the parent domain.
6) Improper Certificate Validation (CVE-ID: CVE-2026-50010)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper certificate validation in X509TrustManagerWrapper within netty-handler when establishing client TLS connections with a user-supplied plain X509TrustManager. A remote attacker can present a certificate for an unexpected hostname to disclose sensitive information.
The issue occurs because hostname verification is not performed in this configuration, even when HTTPS endpoint identification is expected by default.
7) Resource exhaustion (CVE-ID: CVE-2026-50560)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper handling of SETTINGS_MAX_HEADER_LIST_SIZE in the netty http/2 codec when processing http/2 requests with a client-supplied maximum header list size setting. A remote attacker can send specially crafted http/2 requests to cause a denial of service.
The issue is similar in effect to the HTTP/2 Rapid Reset attack but has a different on-the-wire signature.
8) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-45416)
CWE-ID: CWE-789 - Uncontrolled Memory Allocation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled memory allocation in SslClientHelloHandler.decode() when processing a TLS ClientHello that does not fit in the first record. A remote attacker can send a specially crafted ClientHello with a large handshake length to cause a denial of service.
The issue is exposed by the commonly used SniHandler and AbstractSniHandler constructors because they disable the client hello length guard and do not schedule a handshake timeout.
9) Resource exhaustion (CVE-ID: CVE-2026-47244)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in the HTTP/2 stream management logic when handling HTTP/2 connections without an explicitly configured concurrent stream limit. A remote attacker can open a large number of streams over a single TCP connection to cause a denial of service.
The issue occurs when the application does not explicitly configure a maximum concurrent streams setting.
10) Resource exhaustion (CVE-ID: CVE-2023-44487)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:A/U:Amber
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improperly control of consumption for internal resources when handling HTTP/2 requests with compressed HEADERS frames. A remote attacker can send a sequence of compressed HEADERS frames followed by RST_STREAM frames and perform a denial of service (DoS) attack, a.k.a. "Rapid Reset".
Note, the vulnerability is being actively exploited in the wild.
11) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-48043)
CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a reference-count leak in DelegatingDecompressorFrameListener when processing HTTP/2 frames that cause the flow-controller to throw. A remote attacker can send crafted frames to cause a denial of service.
The issue may exhaust memory and eventually take down the JVM due to an out-of-memory error.
12) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-50020)
CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to smuggle HTTP requests.
The vulnerability exists due to inconsistent interpretation of HTTP requests in HttpObjectDecoder when parsing requests with non-CRLF control characters before the request-line. A remote attacker can send a specially crafted request to smuggle HTTP requests.
The issue can cause request-boundary confusion when a front-end component interprets the prepended bytes differently in pipelined or multiplexed transports.
Remediation
Install update from vendor's website.