SB2026021013 - Multiple vulnerabilities in IBM MQ Operator and Queue manager container images 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026021013

SB2026021013 - Multiple vulnerabilities in IBM MQ Operator and Queue manager container images

Published: February 10, 2026

Security Bulletin ID SB2026021013
Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Resource exhaustion (CVE-ID: CVE-2025-61725)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the ParseAddress function in net/mail does not properly control consumption of internal resources. A remote attacker can compose a specially crafted email message that triggers excessive CPU consumption leading to denial of service. 


2) Path traversal (CVE-ID: CVE-2025-45582)

The vulnerability allows a local user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A local user can trick the victim into opening a specially crafted HTTP request and read arbitrary files on the system.


3) Resource exhaustion (CVE-ID: CVE-2025-58183)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in archive/tar due to the tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A remote attacker can pass a specially crafted archive to the application and perform a denial of service (DoS) attack.


4) Uncontrolled Recursion (CVE-ID: CVE-2025-9714)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled recursion in XPath evaluation within the xmlXPathRunEval() function in xpath.c. A remote attacker can pass specially crated XML data to the application and perform a denial of service (DoS) attack.


5) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-58186)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in net/http due to the application does not limit the number of cookies sent in the request. A remote attacker can send a lot of very small cookies such as "a=;" and cause large memory consumption. 


6) Improper Output Neutralization for Logs (CVE-ID: CVE-2025-12755)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to improper neutralization of special elements when written to log files. A remote attacker can inject data into log messages on the system.


Remediation

Install update from vendor's website.

References