IBM WebSphere Application Server, Denial of Service (DoS), CVE-2026-4410 (Medium) -DC-Jun2026-60

Listen to this Post

CVE-2026-4410 enables a remote DoS attack against IBM WebSphere Application Server and Liberty by exhausting memory resources. The vulnerability lies in how the server’s `sipServlet-1.1` feature handles specially-crafted requests, leading to uncontrolled resource consumption and, ultimately, a denial of service.
The vulnerable code exists within the `sipServlet-1.1` module, which processes Session Initiation Protocol (SIP) messages. When enabled, the server listens for requests on the SIP port (default 5060). The core issue is a failure to properly manage internal memory allocations during the parsing or handling of certain attack requests.
By sending a specifically engineered packet to the SIP port, an attacker can trigger a memory leak or cause the server to allocate an unmanageable amount of memory. The application does not properly control consumption of internal resources, and a remote attacker can exploit this vulnerability to cause the server to consume memory resources.
This resource exhaustion causes the server to become unstable or crash, disrupting all services (HTTP, HTTPS, other ports) on the instance as the JVM runs out of heap memory. Crucially, the attack does not require the `sipServlet-1.1` feature to be actively used for processing calls; the mere enabling of the feature makes the SIP port vulnerable. The CVSS base score from NIST is 7.5 HIGH, while IBM Corporation assessed it as 4.8 MEDIUM.

DailyCVE Form:

Platform: IBM WebSphere
Version: 8.5, 9.0,
Vulnerability : Uncontrolled Resource Consumption
Severity: Medium (4.8)
date: May 27, 2026

Prediction: 3rd Quarter 2026

What Undercode Say: Analytics

The following commands can help identify vulnerable versions by checking the product installation details. The Nessus plugin `websphere_7273424.nasl` can be used for automated scanning.

Check WebSphere traditional version
grep "version" /opt/IBM/WebSphere/AppServer/properties/version/version.properties
Check Liberty version
cat /opt/ibm/wlp/usr/servers/serverName/.version.txt
Check Liberty features configuration
cat /opt/ibm/wlp/usr/servers/serverName/server.xml | grep sipServlet-1.1
Nessus scan command
nessus -q -T html -i target_ips.txt -p websphere_7273424.nasl

Exploit:

As a Proof of Concept, the attacker first identifies if the target’s SIP port (5060) is open and the `sipServlet-1.1` feature is enabled. Next, they craft a malicious SIP `REGISTER` request (or other packets), injecting a specially malformed tag (e.g., an extremely long `Call-ID` header or invalid sequence numbers). This malformed packet is sent in a single request, not as a flood, causing the vulnerable parser to allocate all available memory in the JVM heap.

Example malformed SIP packet to trigger memory consumption
printf "REGISTER sip:target SIP/2.0\r\nCall-ID: $(perl -e 'print "A" x 100000')\r\n\r\n" | nc -u target_ip 5060

Protection:

Protect your systems by verifying if the `sipServlet-1.1` feature is needed. If not, immediately disable it to eliminate the attack vector.

Disable sipServlet-1.1 in Liberty
sed -i '/sipServlet-1.1/d' /opt/ibm/wlp/usr/servers/serverName/server.xml
Apply the IBM Interim Fix (PH70616 or PH70807) or upgrade to 9.0.5.28, 8.5.5.30, or Liberty 26.0.0.6

Impact:

An unauthenticated remote attacker with network access to the SIP port can crash the WebSphere JVM. Successful exploitation leads to complete system unavailability for all hosted applications, resulting in a denial of service without requiring any special privileges or user interaction.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top