SB2026012115 - Multiple vulnerabilities in IBM Voice Gateway

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026012115

SB2026012115 - Multiple vulnerabilities in IBM Voice Gateway

Published: January 21, 2026

Security Bulletin ID SB2026012115
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 60% Low 40%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Interpretation conflict (CVE-ID: CVE-2025-12816)

The vulnerability allows a remote attacker to bypass downstream cryptographic verification and security decisions.

The vulnerability exists due to incorrect validation of ASN.1 structures within the asn1.validate() function in forge/lib/asn1.js. A remote non-authenticated attacker can use specially crafted ASN.1 structures to desynchronize DER schema validations and bypass downstream cryptographic verification and security decisions.


2) Inefficient regular expression complexity (CVE-ID: CVE-2025-5889)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote user can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


3) Link following (CVE-ID: CVE-2025-54798)

The vulnerability allows a local user to modify data on the system.

The vulnerability exists due to an insecure link following issue. A local user can create a specially crafted symbolic link to a critical file on the system and overwrite it with privileges of the application.


4) Integer overflow (CVE-ID: CVE-2025-66030)

The vulnerability allows a remote attacker to perform spoofing attack. 

The vulnerability exists due to integer overflow within the asn1.derToOid() function in forge/lib/asn1.js when parsing ASN.1 structures containing OIDs with oversized arcs. A remote attacker can construct a specially crafted ASN.1 object to spoof an OID and bypass downstream OID-based security decisions.


5) Uncontrolled recursion (CVE-ID: CVE-2025-66031)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled recursion within the asn1.fromDer() function in forge/lib/asn1.js. A remote non-authenticated attacker can pass specially crafted deep ASN.1 structures to trigger unbounded recursive parsing and perform a denial of service attack.


Remediation

Install update from vendor's website.

References