CVE-2025-27365 Overview
CVE-2025-27365 is a denial-of-service vulnerability affecting IBM MQ Operator and IBM-supplied MQ Advanced container images. A connecting MQ client can trigger a segmentation fault (SIGSEGV) in the AMQRMPPA channel process, terminating the channel handler on the queue manager. The flaw is classified as a use-after-free memory error [CWE-416] and requires only low-privilege network access to exploit. Affected versions include IBM MQ Operator LTS 2.0.0 through 2.0.29, MQ Operator CD 3.0.0 through 3.5.1, and MQ Operator SC2 3.2.0 through 3.2.10, plus a broad range of IBM-supplied MQ Advanced container images from 9.2.0.1 through 9.4.2.0.
Critical Impact
An authenticated MQ client can crash the AMQRMPPA channel process on the queue manager, disrupting message brokering for connected applications.
Affected Products
- IBM MQ Operator LTS 2.0.0 through 2.0.29
- IBM MQ Operator CD 3.0.0, 3.0.1, 3.1.0–3.1.3, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1 and MQ Operator SC2 3.2.0–3.2.10
- IBM-supplied MQ Advanced container images 9.2.0.1 through 9.4.2.0
Discovery Timeline
- 2025-05-01 - CVE-2025-27365 published to the National Vulnerability Database (NVD)
- 2025-08-25 - Last updated in the NVD database
Technical Details for CVE-2025-27365
Vulnerability Analysis
The vulnerability resides in the AMQRMPPA (Channel Process Pooling Agent) component of IBM MQ, which manages connections from MQ clients to a queue manager. When a client establishes a channel and issues specific input, the agent dereferences memory that has already been released, producing a SIGSEGV and terminating the channel process.
Because AMQRMPPA services channel connections, its termination drops the affected client connections and interrupts message flow until the process is restarted. The flaw maps to [CWE-416] Use After Free, a category of memory corruption where freed heap regions are accessed by stale pointers.
The issue affects both standalone IBM MQ Operator deployments on OpenShift or Kubernetes and the IBM-supplied MQ Advanced container images shipped within those operators. Confidentiality and integrity are unaffected; the impact is limited to availability of the messaging service.
Root Cause
The root cause is a use-after-free condition in the channel process responsible for handling client connections. A code path within AMQRMPPA references a heap object after its lifetime has ended, leading to an invalid memory access and process abort.
Attack Vector
Exploitation requires network reachability to the MQ listener and a valid client connection to a queue manager. An attacker with low-level MQ credentials can establish a channel and submit traffic that drives the vulnerable code path, terminating the channel agent. No user interaction is required, and the attack complexity is low.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the IBM Support Document for vendor technical details.
Detection Methods for CVE-2025-27365
Indicators of Compromise
- Unexpected SIGSEGV or abnormal terminations of the AMQRMPPA process recorded in queue manager AMQERR01.LOG or FDC files under /var/mqm/errors.
- Repeated client reconnects from a single source address following channel process crashes.
- Core dumps generated by the MQ runtime within the operator-managed pods.
Detection Strategies
- Monitor IBM MQ error logs and First Failure Data Capture (FDC) entries for crash signatures involving AMQRMPPA.
- Correlate Kubernetes or OpenShift pod restart events for queue manager pods with MQ client connection activity from the same window.
- Inspect MQ channel authentication records and audit logs for unusual client connection patterns preceding crashes.
Monitoring Recommendations
- Enable container runtime telemetry to capture process exits and exit codes for MQ pods.
- Alert on elevated rates of channel disconnect events (MQRC_CONNECTION_BROKEN) reported by client applications.
- Track queue manager availability metrics and channel restart counts as leading indicators of exploitation attempts.
How to Mitigate CVE-2025-27365
Immediate Actions Required
- Upgrade IBM MQ Operator and the underlying MQ Advanced container images to the fixed releases identified in the IBM Support Document.
- Restrict network access to the MQ listener so that only trusted application subnets can establish client channels.
- Review and tighten channel authentication records (CHLAUTH) to enforce strong identity checks on inbound connections.
Patch Information
IBM has published remediation guidance and fixed versions in the vendor advisory. Operators should consult the IBM Support Document for the specific MQ Operator and container image versions that contain the fix, then roll the updated images through their OpenShift or Kubernetes clusters.
Workarounds
- Apply CHLAUTH rules to block client connections from untrusted IP ranges and user IDs until patched images are deployed.
- Configure Kubernetes liveness probes and automatic pod restart policies to recover queue manager pods quickly if AMQRMPPA terminates.
- Place a network policy or service mesh rule in front of the MQ listener to limit exposure to known application workloads.
# Example: restrict MQ channel access with CHLAUTH (run via runmqsc)
SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) ACTION(REPLACE)
SET CHLAUTH('APP.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('10.0.0.0/8') USERSRC(CHANNEL) ACTION(REPLACE)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
