IBM Aspera Hit by Two asperahttpd Buffer Overflows: CVE-2026-8175 / CVE-2026-8179
IBM disclosed two critical buffer overflow vulnerabilities in Aspera High-Speed Transfer Server and Endpoint on May 21, 2026: CVE-2026-8175 (heap BOF, CVSS 9.8, unauthenticated) and CVE-2026-8179 (stack BOF, CVSS 8.8, authenticated). Used by broadcasters, media, and large enterprises worldwide.
Makoto Horikawa
Backend Engineer / AWS / Django
IBM disclosed two critical buffer overflow vulnerabilities in Aspera High-Speed Transfer Server and Endpoint on May 21, 2026: CVE-2026-8175 (heap BOF, CVSS 9.8, unauthenticated) and CVE-2026-8179 (stack BOF, CVSS 8.8, authenticated). Used by broadcasters, media, and large enterprises worldwide.
On May 21, 2026, IBM disclosed in a security bulletin that Aspera, the high-speed file transfer product used by broadcasters, video production studios, and financial institutions worldwide, contains two critical buffer overflow vulnerabilities: CVE-2026-8175 (CVSS 9.8) and CVE-2026-8179 (CVSS 8.8).
Affected products are IBM Aspera High-Speed Transfer Server (HSTS) and Aspera High-Speed Transfer Endpoint (HSTE) from v3.7.4 through v4.4.7 Fix Pack 1. Both are widely deployed as the backbone for large-volume data transfers, internally and externally, and are notably used by FOX Sports and major broadcast networks to exchange video material.
The flaws live in asperahttpd, a small HTTP server component bundled with Aspera. IBM acknowledges that the 9.8-rated issue is exploitable without authentication and can lead not only to denial of service but also to authentication bypass and arbitrary code execution.
The vulnerabilities were reported by Dutch security researcher Yannik Marchand (GitHub: Kinnay), an ethical hacker affiliated with Securance who has won multiple international CTF competitions.
What Is IBM Aspera?
Aspera is a high-volume file transfer software originally developed by Aspera Inc. of the United States, which IBM acquired in 2014. Where standard TCP might deliver only a few MB/sec across intercontinental links, Aspera's proprietary FASP protocol can sustain multi-GB/sec transfer speeds, positioning it as IBM's flagship transfer platform.
Common deployment scenarios include:
- Broadcasters exchanging video material (tens of GB of uncompressed footage) between sites
- Film studios shuttling dailies with overseas VFX houses
- Financial institutions running large overnight batch transfers of trading data
- Pharma and scientific organizations sharing massive files such as genomic analysis data
- Government agencies distributing geospatial information and satellite imagery internationally
In 2023, the European Broadcasting Union (EBU) published a piece warning that "the Aspera vulnerability is a cautionary tale for the broadcast industry". The product is indispensable infrastructure for broadcast operations, but it has also repeatedly drawn attention as an attack surface.
Both of the current vulnerabilities sit in asperahttpd (Aspera's management HTTP server). User organizations keep this component running continuously as an admin console and HTTP-based authentication endpoint, and the fact that it is reachable directly over the network is what makes the issue so serious.
CVE-2026-8175: Heap Buffer Overflow (CVSS 9.8, Unauthenticated)
This is the more severe of the two. NVD classifies it as CWE-122 (heap-based buffer overflow). Sending a specially crafted HTTP request to asperahttpd causes memory to be written past the boundary of the heap region (where the program dynamically allocates memory).
| Item | Details |
|---|---|
| CVE ID | CVE-2026-8175 |
| CVSS v3.1 | 9.8 (Critical) |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Vulnerability Type | CWE-122 Heap BOF |
| Authentication | Not required (PR:N) |
| Expected Impact | Denial of service Authentication bypass Arbitrary code execution |
| Affected Versions | HSTS / HSTE v3.7.4 - v4.4.7 Fix Pack 1 |
Heap buffer overflows are a classic class of vulnerability in which an attacker can hijack a program's execution flow through the rewritten memory contents. IBM's advisory lists three impacts in order, "denial of service, authentication bypass, and arbitrary code execution," and the last in particular leads to the catastrophic outcome of letting attackers gain a foothold on the file transfer server itself.
Aspera servers at broadcasters and financial institutions are often exposed to the internet by the nature of the work (receiving material from partners, exchanging files with overseas offices, and so on). Because CVE-2026-8175 requires no prior authentication, the attack succeeds against any server whose URL and port are known to the attacker.
CVE-2026-8179: Stack Buffer Overflow (CVSS 8.8, Authenticated)
This is a buffer overflow in the stack region (where temporary data for function calls is held) of the same asperahttpd binary. NVD classifies it as CWE-121. The CVSS score is 8.8, lower than CVE-2026-8175, but only because "an authenticated user is required to exploit it." Once authentication is past, the same arbitrary code execution outcome is on the table.
| Item | Details |
|---|---|
| CVE ID | CVE-2026-8179 |
| CVSS v3.1 | 8.8 (High) |
| CVSS Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Vulnerability Type | CWE-121 Stack BOF |
| Authentication | Required (PR:L; works with a low-privileged user) |
| Expected Impact | Arbitrary code execution |
| Affected Versions | HSTS / HSTE v3.7.4 - v4.4.7 Fix Pack 1 |
The "authentication required" precondition makes the impact look smaller at first glance, but Aspera is a product where accounts are issued to staff across multiple sites and multiple organizations. If an account belonging to an external partner or contractor is compromised, that low-privileged account becomes the launch point for privilege escalation against the server itself. From an Aspera administrator's perspective, "each external account you have issued is one more potential starting point for CVE-2026-8179."
CVE-2026-8175 and CVE-2026-8179 are two BOFs found in the same component (asperahttpd) and are consolidated in a single IBM bulletin. Patches for both are shipped together.
Affected Scope and Fixed Versions
The affected products and versions are as follows.
| Product | Affected Versions | Fix / Mitigation |
|---|---|---|
| Aspera High-Speed Transfer Server (HSTS) | v3.7.4 - v4.4.7 Fix Pack 1 | Update to the latest Fix Pack per IBM's official advisory |
| Aspera High-Speed Transfer Endpoint (HSTE) | v3.7.4 - v4.4.7 Fix Pack 1 | Update to the latest Fix Pack per IBM's official advisory |
| Aspera Desktop Client | Not listed (server-side component is the target) | Covered by server-side update |
| Aspera Connect | Not listed | Covered by server-side update |
The affected range reaches back as far as v3.7.4, which means organizations that have been postponing upgrades because the software has run stably in-house for years are likely to be impacted. For specific Fix Pack numbers, follow the instructions in IBM's official security bulletin.
What To Do Now
1. Apply the Fix Pack from IBM's official advisory. Following IBM Security Bulletin node/7273615, bring HSTS / HSTE up to the latest Fix Pack. Even if there are operational reasons that make it hard to take a production Aspera server down, the fact that CVE-2026-8175 requires no authentication puts this at a severity level where a planned maintenance window should be secured as the top priority.
2. If you cannot patch immediately, restrict asperahttpd's port (9091 by default) to trusted IPs at the firewall. For servers that receive partner traffic, narrow the attack surface with VPN or IP allowlisting. Internet-facing servers in particular need to move up the priority list.
3. Review the last 30 days of access logs. Look for suspicious bursts of HTTP requests against asperahttpd, especially accesses involving abnormally long URL paths or headers. Buffer overflow attack attempts often leave a fingerprint of unnaturally long strings stuffed into parameters.
4. Inventory low-privileged accounts issued to external partners. CVE-2026-8179 is on the authenticated path, but transfer accounts issued to outside parties can serve as the entry point. Disable accounts with no active usage, and for accounts that are still in use, push password resets and MFA enrollment.
5. Ask partners and outsourcers about the status of their Aspera servers. Hardening your own Aspera server does not help if the counterpart you exchange data with is compromised, because the material will be siphoned through that side. The broadcast and media exchange chain has to be addressed as a whole.
CISA KEV Status and Hub Article Coordination
As of May 27, 2026, CVE-2026-8175 and CVE-2026-8179 have not yet been added to CISA's KEV catalog. That said, the previous IBM Aspera Faspex vulnerability (CVE-2022-47986) was exploited by ransomware groups within just weeks of disclosure and was promptly added to CISA KEV. Because file transfer infrastructure has extremely high value to attackers, these two CVEs could land on KEV in short order depending on in-the-wild observations.
This site continuously updates the list of CVEs that CISA has designated as actively exploited, along with their remediation deadlines, on our CISA KEV Dashboard (Japanese edition). Federal remediation deadlines, including those that may eventually cover Aspera, are worth tracking even for Japanese enterprises as a benchmark for "deadlines the U.S. side has judged to carry high risk."
References
- ▸ NVD - CVE-2026-8175 Detail
- ▸ NVD - CVE-2026-8179 Detail
- ▸ IBM Security Bulletin - Multiple vulnerabilities in Aspera applications (node/7273615) (May 21, 2026)
- ▸ CVE.org - CVE-2026-8175 Record
- ▸ CVE.org - CVE-2026-8179 Record
- ▸ IBM Aspera Product Page
- ▸ EBU Technology & Innovation - The Aspera vulnerability: a cautionary tale for the broadcast industry
- ▸ Yannik Marchand - LinkedIn (vulnerability reporter)
- ▸ CISA - Known Exploited Vulnerabilities Catalog