CVE-2025-36156 PUBLISHED

IBM InfoSphere Data Replication VSAM for z/OS Remote Source code execution

Assigner: ibm
Reserved: 15.04.2025 Published: 07.10.2025 Updated: 08.10.2025

IBM InfoSphere Data Replication VSAM for z/OS Remote Source 11.4 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user with access to the files storing CECSUB or CECRM on the container could overflow the buffer and execute arbitrary code on the system.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 7.4

Attack Vector	Local	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	IBM
Product	InfoSphere Data Replication VSAM for z/OS Remote Source
Versions	Default: unaffected affected from 0 to 11.4 (incl.)

Solutions

Resolved in APAR PH67757. Available as version is v11.4.0.22 for VSAM Remote source x86 container on fix central. VSAM_Remote_Source_114_Linux_x86.tar

References

https://www.ibm.com/support/pages/node/7247224

Problem Types

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer CWE