CVE Analysis 4 min read

CVE-2026-9170: IBM HTTP Server improper input validation

CVE-2026-9170 CVSS 9.8 CRITICAL vulnerability analysis

CVE-2026-9170 is a CVSS 9.8 CRITICAL vulnerability in IBM HTTP Server 8.5 and 9.0 published 26 May 2026. IBM HTTP Server 8.5 and 9.0 is vulnerable to denial of service and a potential remote code execution due to improper input validation.

TL;DR: IBM HTTP Server improper input validation, classified as CWE-94 (Improper Control of Generation of Code, Code Injection). Vendor (IBM PSIRT): 9.8 CRITICAL. The NVD score reflects worst-case network attack assumptions; the vendor score reflects observed exploitation complexity. Patch on the higher score, hunt on the worst-case vector.

What This Vulnerability Is

IBM HTTP Server 8.5 and 9.0 is vulnerable to denial of service and a potential remote code execution due to improper input validation.

The National Vulnerability Database assigned this issue a CVSS base score of 9.8, placing it in the CRITICAL category. The identifier CVE-2026-9170 was published on 26 May 2026. The weakness class is CWE-94 (Improper Control of Generation of Code, Code Injection).

CVE Identifier
CVE-2026-9170
CVSS Base Score
9.8 / 10.0 (CRITICAL)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Class
CWE-94 (Improper Control of Generation of Code, Code Injection)
Published
26 May 2026
Vendor Advisory
https://www.ibm.com/support/pages/node/7274065
NVD Entry
https://nvd.nist.gov/vuln/detail/CVE-2026-9170

How a Sherlock Forensic Examiner Triages a Suspected IBM HTTP Server Compromise

If you suspect this vulnerability has been exploited against an IBM HTTP Server instance the first artifact a Sherlock forensic examiner pulls is the access log. IBM HTTP Server access logs live at /usr/IBM/HTTPServer/logs/access_log on default Unix installs or under the configured CustomLog directive. Filter the log for requests in the 24 hours preceding any service disruption. Pay attention to request URIs and query strings containing unusual characters, repeated long sequences or patterns consistent with the published vulnerability vector.

The second artifact is the error log. Code-injection exploitation often produces error log entries before the payload completes its primary action. Pull /usr/IBM/HTTPServer/logs/error_log for the same window. Look for module crash entries, child process termination signals or unexpected configuration parse errors that align with the access log payload timestamps.

The third artifact is the configuration. Pull /usr/IBM/HTTPServer/conf/httpd.conf and every included file. Hash each one against the last-known-good configuration backup. An attacker who achieved code execution will often modify configuration to chain the next exploitation step or establish persistence through module loading directives.

The fourth artifact is the process tree. On systems with auditd or BSM enabled pull process accounting for the IBM HTTP Server UID during the suspected exploitation window. Child processes spawned from the HTTP Server parent that are not the expected worker or module processes are the post-exploitation indicator. Outbound connections from the HTTP Server UID to non-application destinations are lateral movement candidates.

Detection Signature

Illustrative Sigma rule for SIEM-based detection. Tune thresholds to your baseline before production deployment.

title: IBM HTTP Server Suspicious Module Behavior CVE-2026-9170
id: cve-2026-9170-ibm-httpd-child-process
status: experimental
description: Detects unexpected child processes spawned from IBM HTTP Server consistent with CVE-2026-9170 exploitation.
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith: '/httpd'
  filter_legitimate:
    Image|endswith:
      - '/httpd'
      - '/rotatelogs'
  condition: selection and not filter_legitimate
level: high

What to Do About It

  1. Apply the vendor patch. Follow the vendor advisory for the current patched version. Patch on the NVD-9.8 worst-case scoring rather than the vendor-reduced scoring; the NVD score reflects the worst-case attacker scenario, which is what your incident response plan should be built around.
  2. Run the forensic triage above on any system showing the indicator pattern. The forensic angle in this analysis is grounded in primary-source NVD data and Sherlock incident response methodology. If your team lacks the bandwidth, an external incident response engagement closes the gap.
  3. Subscribe to the CISA Known Exploited Vulnerabilities catalog. The CISA KEV catalog tracks CVEs with confirmed in-the-wild exploitation. Treat additions to the KEV catalog as emergency patch tickets.
  4. Document your response. Record what you checked, what you patched and what residual risk remains. This matters for compliance and for any incident response activity that follows.

References and Further Reading