Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-6936

CVE-2026-6936: IBM i ILE Compiler DoS Vulnerability

CVE-2026-6936 is a denial-of-service flaw in IBM i's Integrated Language Environment compiler caused by uncontrolled recursion. Authenticated attackers can exploit this by compiling malicious code. Learn about affected versions, impact, and mitigation.

Published:

CVE-2026-6936 Overview

CVE-2026-6936 affects IBM i versions 7.6, 7.5, 7.4, and 7.3. The vulnerability resides in the Integrated Language Environment (ILE) compiler and stems from uncontrolled recursion [CWE-674]. An authenticated attacker can trigger a denial-of-service condition by compiling specially crafted source code containing a specific combination of statements. Successful exploitation exhausts compiler resources and disrupts availability of the affected system. The flaw requires valid credentials and low attack complexity, with no user interaction needed.

Critical Impact

An authenticated attacker can cause a denial of service on IBM i systems by submitting crafted source code to the ILE compiler, impacting system availability.

Affected Products

  • IBM i 7.6
  • IBM i 7.5
  • IBM i 7.4
  • IBM i 7.3

Discovery Timeline

  • 2026-05-27 - CVE-2026-6936 published to NVD
  • 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-6936

Vulnerability Analysis

The vulnerability is a denial-of-service condition in the ILE compiler shipped with IBM i. The compiler fails to enforce a depth limit on a recursive parsing or evaluation routine. When the compiler encounters a specific combination of source statements, the recursive routine continues calling itself until process resources are exhausted. The result is an unstable or unresponsive compiler process, which can degrade or interrupt service for other compilation tasks on the system.

The issue is classified under [CWE-674] Uncontrolled Recursion. Attackers do not need elevated privileges. They need only the ability to submit source code to the ILE compiler on the target IBM i system. The vulnerability does not affect confidentiality or integrity, but it directly impacts availability.

Root Cause

The ILE compiler lacks proper bounds checking on recursive descent during source code processing. Specific syntactic constructs cause the compiler routine to recurse without a termination guard, consuming stack or heap resources until the process fails or system performance degrades. Refer to the IBM Support Page for vendor technical details.

Attack Vector

Exploitation requires an authenticated user with permission to invoke the ILE compiler. The attacker submits a source file containing the triggering combination of statements. Compilation initiates the recursive routine, which consumes resources until the compiler process fails. Repeated submissions can amplify impact and disrupt legitimate compilation workloads on the host.

No verified public proof-of-concept code is available. See the IBM Support Page for technical details.

Detection Methods for CVE-2026-6936

Indicators of Compromise

  • Unexpected termination or abnormal end (ABEND) of ILE compiler jobs on IBM i systems.
  • Spikes in CPU or memory consumption tied to compiler subsystem activity.
  • Repeated compilation attempts from a single authenticated user submitting unusual source files.

Detection Strategies

  • Monitor IBM i job logs and QHST history logs for compiler job failures with stack-exhaustion or recursion-related error messages.
  • Audit user activity on compilation commands such as CRTBNDRPG, CRTRPGMOD, CRTCMOD, and CRTBNDCL for anomalous frequency or unusual source members.
  • Correlate authentication events with compiler invocation patterns to identify suspicious users.

Monitoring Recommendations

  • Forward IBM i audit journal (QAUDJRN) and job log data to a central SIEM for behavioral analysis.
  • Establish baselines for ILE compiler job duration and resource consumption to alert on outliers.
  • Track repeated compilation failures associated with the same user profile or library.

How to Mitigate CVE-2026-6936

Immediate Actions Required

  • Apply the IBM-provided fix referenced in the IBM Support Page for IBM i 7.6, 7.5, 7.4, and 7.3.
  • Restrict access to ILE compilation commands to trusted developer profiles using object authority controls.
  • Audit existing user profiles to remove unnecessary *USE authority on compiler commands and related libraries.

Patch Information

IBM has published a security bulletin and PTFs addressing this vulnerability. Administrators should review the IBM Support Page and apply the appropriate PTF for each affected IBM i release (7.6, 7.5, 7.4, 7.3).

Workarounds

  • Limit authority on ILE compiler commands such as CRTBNDRPG, CRTRPGMOD, CRTCMOD, and CRTBNDCL to specific developer groups.
  • Enforce code review processes for source members before compilation in shared environments.
  • Monitor and rate-limit interactive and batch compilation jobs initiated by non-development user profiles.
bash
# Configuration example: restrict authority on an ILE compile command
GRTOBJAUT OBJ(QSYS/CRTBNDRPG) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*EXCLUDE)
GRTOBJAUT OBJ(QSYS/CRTBNDRPG) OBJTYPE(*CMD) USER(DEVGRP) AUT(*USE)

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne