SB2026070730 - Multiple vulnerabilities in IBM EntireX
Published: July 7, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Input validation error (CVE-ID: CVE-2026-34181)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to impersonate a user.
The vulnerability exists due to improper input validation in PKCS#12 file processing for PBMAC1 integrity verification when processing unencrypted PKCS#12 files with a one-byte HMAC key. A remote attacker can submit a crafted PKCS#12 file to impersonate a user.
The forged file is accepted with a 1 in 256 probability.
2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-34183)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled memory allocation in the QUIC PATH_CHALLENGE handler when processing floods of PATH_CHALLENGE frames. A remote attacker can send a flood of PATH_CHALLENGE frames to cause a denial of service.
The issue affects applications acting as a QUIC client or server.
3) NULL pointer dereference (CVE-ID: CVE-2026-42764)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to NULL pointer dereference in QUIC server initial packet handling when processing an initial packet with an invalid or expired token. A remote attacker can send a crafted initial packet to cause a denial of service.
The issue is reachable only when address validation is disabled, such as when SSL_LISTENER_FLAG_NO_VALIDATE is used with SSL_new_listener().
4) NULL pointer dereference (CVE-ID: CVE-2026-42767)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to NULL pointer dereference in CRMF EncryptedValue decryption when processing a crafted CMP response containing an EncryptedValue structure with an algorithm OID but no parameters field. A remote attacker can send a crafted CMP response to cause a denial of service.
The issue can be triggered by an attacker-controlled CMP server or a man-in-the-middle.
5) Observable discrepancy (CVE-ID: CVE-2026-42768)
CWE-ID: CWE-203 - Observable discrepancy
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to decrypt or sign messages with the victim's private RSA key.
The vulnerability exists due to observable discrepancy in error handling in CMS_decrypt() and PKCS7_decrypt() when processing attacker-supplied CMS or S/MIME messages and exposing decryption errors or output differences. A remote attacker can send crafted messages and observe the application's responses to decrypt or sign messages with the victim's private RSA key.
The attack requires the application to expose the error code and/or decryption output in a way that can be observed by the attacker.
6) Improper Certificate Validation (CVE-ID: CVE-2026-42769)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to replace the root CA certificate trusted by CMP clients.
The vulnerability exists due to improper certificate validation in OSSL_CMP_get1_rootCaKeyUpdate() when processing id-it-rootCaKeyUpdate CMP messages. A remote user can send a crafted CMP root CA key update message to replace the root CA certificate trusted by CMP clients.
Exploitation requires credentials that satisfy the CMP message protection checks.
Remediation
Install update from vendor's website.