IBM Aspera Vulnerabilities Patched in New Security Bulletin

IBM has released an urgent security bulletin fixing multiple security flaws. These new IBM Aspera vulnerabilities affect high-speed transfer systems utilized globally. Therefore, administrators must apply the latest patches immediately to secure their file transfer networks.

High-Severity Flaws Threaten Enterprise Storage

Several of the bugs present massive risks to enterprise data. For instance, CVE-2026-7876 allows a transfer client to bypass authentication entirely. Consequently, unauthorized actors might access restricted files within the server’s local storage. This flaw received a critical CVSS base score of 9.1.

Furthermore, a path traversal flaw tracked as CVE-2026-9035 impacts the asperahttpd component. This bug enables authenticated users to read arbitrary server files. Thus, malicious insiders could compromise confidential files without authorization.

Buffer Overflows Create Execution Risks

Most critically, the advisory outlines severe memory corruption flaws within asperahttpd. A heap-based buffer overflow, tracked as CVE-2026-8175, carries a CVSS score of 9.8. Attackers can exploit this issue to cause a denial of service. Additionally, the flaw can lead to remote code execution or authentication bypass.

Meanwhile, CVE-2026-8179 details a stack-based buffer overflow. This flaw allows an authenticated user to achieve arbitrary code execution. Finally, CVE-2026-8180 involves a NULL pointer dereference. An unauthenticated user can exploit this to crash the service completely. These dangerous IBM Aspera vulnerabilities demonstrate why prompt system maintenance is vital.

Affected Software and Remediation Guidelines

The security bugs impact both the High-Speed Transfer Server and Endpoint products. Specifically, software versions 3.7.4 through 4.4.7 Fix Pack 1 are vulnerable. To resolve these exposure vectors, IBM recommends upgrading to Fix Pack 2 [1,2].

Vulnerability Summary Table