IBM MQ 9.1/9.2/9.3/9.4 Slowloris release of resource

Summaryinfo

A vulnerability labeled as critical has been found in IBM MQ 9.1/9.2/9.3/9.4. This affects an unknown function. The manipulation results in release of resource. This vulnerability is reported as CVE-2025-36128. The attack can be launched remotely. No exploit exists. The affected component should be upgraded.

Detailsinfo

A vulnerability classified as critical has been found in IBM MQ 9.1/9.2/9.3/9.4. Affected is an unknown part. The manipulation with an unknown input leads to a release of resource vulnerability. CWE is classifying the issue as CWE-772. The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed. This is going to have an impact on availability. CVE summarizes:

IBM MQ 9.1, 9.2, 9.3, 9.4 LTS and 9.3, 9.4 CD is vulnerable to a denial of service, caused by improper enforcement of the timeout on individual read operations. By conducting slowloris-type attacks, a remote attacker could exploit this vulnerability to cause a denial of service.

The advisory is available at ibm.com. This vulnerability is traded as CVE-2025-36128 since 04/15/2025. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1499 by the MITRE ATT&CK project.

Upgrading eliminates this vulnerability.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Vendor

• IBM

Name

• MQ

Version

• 9.1
• 9.2
• 9.3
• 9.4

License

• commercial

Website

• Vendor: https://www.ibm.com/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion