SB2026070730 - Multiple vulnerabilities in IBM EntireX



SB2026070730 - Multiple vulnerabilities in IBM EntireX

Published: July 7, 2026

Security Bulletin ID SB2026070730
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 83% Low 17%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 vulnerabilities.


1) Input validation error (CVE-ID: CVE-2026-34181)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to impersonate a user.

The vulnerability exists due to improper input validation in PKCS#12 file processing for PBMAC1 integrity verification when processing unencrypted PKCS#12 files with a one-byte HMAC key. A remote attacker can submit a crafted PKCS#12 file to impersonate a user.

The forged file is accepted with a 1 in 256 probability.


2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-34183)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled memory allocation in the QUIC PATH_CHALLENGE handler when processing floods of PATH_CHALLENGE frames. A remote attacker can send a flood of PATH_CHALLENGE frames to cause a denial of service.

The issue affects applications acting as a QUIC client or server.


3) NULL pointer dereference (CVE-ID: CVE-2026-42764)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to NULL pointer dereference in QUIC server initial packet handling when processing an initial packet with an invalid or expired token. A remote attacker can send a crafted initial packet to cause a denial of service.

The issue is reachable only when address validation is disabled, such as when SSL_LISTENER_FLAG_NO_VALIDATE is used with SSL_new_listener().


4) NULL pointer dereference (CVE-ID: CVE-2026-42767)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to NULL pointer dereference in CRMF EncryptedValue decryption when processing a crafted CMP response containing an EncryptedValue structure with an algorithm OID but no parameters field. A remote attacker can send a crafted CMP response to cause a denial of service.

The issue can be triggered by an attacker-controlled CMP server or a man-in-the-middle.


5) Observable discrepancy (CVE-ID: CVE-2026-42768)

CWE-ID: CWE-203 - Observable discrepancy

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to decrypt or sign messages with the victim's private RSA key.

The vulnerability exists due to observable discrepancy in error handling in CMS_decrypt() and PKCS7_decrypt() when processing attacker-supplied CMS or S/MIME messages and exposing decryption errors or output differences. A remote attacker can send crafted messages and observe the application's responses to decrypt or sign messages with the victim's private RSA key.

The attack requires the application to expose the error code and/or decryption output in a way that can be observed by the attacker.


6) Improper Certificate Validation (CVE-ID: CVE-2026-42769)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to replace the root CA certificate trusted by CMP clients.

The vulnerability exists due to improper certificate validation in OSSL_CMP_get1_rootCaKeyUpdate() when processing id-it-rootCaKeyUpdate CMP messages. A remote user can send a crafted CMP root CA key update message to replace the root CA certificate trusted by CMP clients.

Exploitation requires credentials that satisfy the CMP message protection checks.


Remediation

Install update from vendor's website.