Introduction
A low privilege user on any supported release of IBM i can escalate to full administrator control by exploiting how the operating system resolves library references, and IBM says there are no workarounds available. CVE-2026-7870 is the third unqualified library call privilege escalation disclosed on IBM i in roughly one year, turning what might look like a one off bug into a systemic weakness class affecting an estimated 120,000 enterprise installations worldwide.
IBM i (formerly OS/400, running on IBM Power Systems) is the backbone of mission critical operations in finance, manufacturing, healthcare, and retail. The platform holds approximately 35.59% market share in its technology category and remains in demand in 2026 for its integrated database, object based architecture, and reliability. A privilege escalation vulnerability on these systems carries outsized business risk because the data they process is typically among an organization's most sensitive.
Technical Information
Root Cause: Unqualified Library Calls and CWE-427
CVE-2026-7870 is classified under CWE-427: Uncontrolled Search Path Element. The vulnerability exists in the IBM i base operating system, specifically within the 5770-SS1 licensed program. The root cause is straightforward: certain programs within the OS reference library objects by name alone, without specifying the fully qualified library path.
On IBM i, object resolution works through a library list, an ordered sequence of libraries that the system searches when a program calls an object without qualifying it. This is architecturally similar to the PATH environment variable on Unix/Windows systems, the DLL search order on Windows, or LD_PRELOAD on Linux. When a program calls MYSRVPGM instead of MYLIB/MYSRVPGM, the system walks the library list from top to bottom and loads the first object it finds with that name.
The CVSS 3.1 vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 8.8. The breakdown:
| CVSS Component | Value | Meaning |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely over the network |
| Attack Complexity (AC) | Low | No specialized conditions required |
| Privileges Required (PR) | Low | Attacker needs basic user level access |
| User Interaction (UI) | None | No victim interaction needed |
| Scope (S) | Unchanged | Impact confined to the vulnerable component |
| Confidentiality (C) | High | Total information disclosure |
| Integrity (I) | High | Total system integrity compromise |
| Availability (A) | High | Total system availability disruption |
Attack Flow
The exploitation follows a well understood pattern for library list hijacking on IBM i:
-
Reconnaissance: The attacker identifies a program in the IBM i base operating system that makes an unqualified library call for a service program or other object. Because the vulnerable code is in the OS itself (5770-SS1), the attacker does not need to find a custom application flaw; the target is a system level program.
-
Malicious object placement: The attacker compiles or restores a malicious program object with the same name as the legitimate target into a library that appears earlier in the job's library list. This requires only basic user level access with compile or restore capability.
-
Triggering the unqualified call: When the vulnerable system program executes and makes the unqualified call, the IBM i resolver traverses the library list and finds the attacker's malicious object first.
-
Privilege escalation: The malicious code executes with the authority of the calling program. Because the calling program in this case operates with administrator privilege, the attacker's code inherits that authority. The result is full administrative control: unrestricted ability to read, modify, or destroy data and disrupt operations.
The network attack vector (AV:N) combined with low attack complexity and low privilege requirements means that any authenticated user with network access to the IBM i system and the ability to compile or restore objects can exploit this vulnerability. No social engineering or additional specialized conditions are required.
Why This Matters Architecturally
The library list is a fundamental feature of IBM i, designed for flexibility and ease of development. It allows the same program to resolve to different library objects depending on the job's configuration, which is useful for testing, multi tenant environments, and version management. However, this flexibility becomes a security liability when system programs rely on unqualified references. The user controllable nature of the library list means that any unqualified call in a privileged program is a potential privilege escalation vector.
The fact that multiple PTFs were required per release (four to five per version) indicates the unqualified library call issue was present in several internal components across 5770-SS1, not just a single code path.
Patch Information
IBM published a formal security bulletin on June 9, 2026 addressing CVE-2026-7870. The bulletin explicitly states there are no workarounds or mitigations available. PTF application is the only remediation path.
The fix qualifies the previously unqualified library calls so that the system resolves them to the intended, known good library location rather than relying on the user controllable search path.
PTFs by Release
| IBM i Release | PTF Numbers |
|---|---|
| 7.6 | SJ09689, SJ09666, SJ10017, SJ09859 |
| 7.5 | SJ09688, SJ09665, SJ09699, SJ10015, SJ09855 |
| 7.4 | SJ09690, SJ09664, SJ09701, SJ10028, SJ09851 |
| 7.3 | SJ09691, SJ09663, SJ10018, SJ09837 |
Multiple PTFs per release indicate the unqualified library call issue was present in several internal components across the 5770-SS1 product. IBM shipped distinct PTFs for each affected component rather than a single monolithic fix.
PTF Details
Examining PTF SJ09688 (for IBM i 7.5) as a representative example: it is categorized as an "OSP-INTERNAL SECURITY ENHANCEMENT" targeting the 5770-SS1 licensed program. It operates on the sy.xpf component and resolves internal known issue DT470876. The PTF was opened on May 13, 2026, carries no prerequisite or corequisite PTFs, and its status is listed as Closed COR (corrected), confirming the fix is finalized and available for download via IBM Fix Central.
The CVE record at cve.org also tags the IBM bulletin reference as both a "vendor-advisory" and "patch," providing independent confirmation of its remedial nature.
Defense in Depth (Not a Substitute for Patching)
While no official workaround exists, MITRE's CWE-427 guidance recommends general measures that can reduce exposure to this class of vulnerability:
- Use fully qualified library references in all application code (e.g.,
MYLIB/MYSRVPGMrather than justMYSRVPGM) - Restrict library list modifications to prevent low privilege users from placing libraries ahead of system libraries in the search path
- Limit compile and restore authority by restricting
CRTxxxandRSTxxxcommand authorities, reducing the ability of low privilege users to place malicious objects on the system
These measures reduce the attack surface for future variants but do not address CVE-2026-7870 itself. Only the PTFs resolve the vulnerability in the OS code.
Affected Systems and Versions
All currently supported releases of IBM i running the 5770-SS1 licensed program (the core operating system) are affected:
- IBM i 7.6
- IBM i 7.5
- IBM i 7.4
- IBM i 7.3
This covers virtually the entire supported install base. IBM advises that unsupported or end of support installations should upgrade to a supported and fixed version, as PTFs are not produced for unsupported releases.
Vendor Security History
CVE-2026-7870 is not an isolated finding. It is the latest in a recurring pattern of unqualified library call privilege escalation vulnerabilities on IBM i:
| CVE | Component | CVSS | Published | Description |
|---|---|---|---|---|
| CVE-2026-7870 | IBM i (base OS) | 8.8 | Jun 2026 | Unqualified library call in base OS allows admin privilege escalation |
| CVE-2025-33122 | IBM Advanced Job Scheduler for i | 8.8 | Jun 2025 | Unqualified library call allows user with compile/restore capability to gain elevated privileges |
| CVE-2025-36367 | IBM i SQL Services | 9.8 | Nov 2025 | Privilege escalation in SQL services affecting versions 7.2 through 7.6 |
| CVE-2026-2311 | IBM i Web Administration GUI | 7.1 | Apr 2026 | Invalid authorization check allows privilege escalation |
Three separate unqualified library call vulnerabilities in approximately one year, all sharing the same CWE-427 root cause, all enabling administrator level privilege escalation. This pattern indicates a systemic code quality issue in IBM i development where library references are not consistently qualified with explicit library names.
Security research firms including Silent Signal and ZeroPath have published multiple IBM i vulnerability disclosures, demonstrating that the platform is receiving increasing scrutiny from the security research community.
The strategic implication for organizations with IBM i systems extends beyond this single CVE: a code audit for all unqualified library calls across custom and vendor applications is warranted. Each unqualified reference in a privileged program represents a potential future vulnerability. Proactive qualification of library references and restriction of compile/restore authorities for low privilege users can reduce the attack surface before the next variant is disclosed.
The IBM X-Force Threat Intelligence Index 2026 adds further context, reporting a 44% increase in attacks exploiting public facing applications, driven by missing authentication controls and AI enabled vulnerability discovery. Privilege escalation flaws like CVE-2026-7870 are precisely the type of vulnerability that attackers are accelerating their efforts to find and exploit.
References
- CVE-2026-7870 Detail (NVD)
- CVE-2026-7870 (cve.org)
- IBM Security Bulletin: IBM i is Affected by Privilege Escalation (CVE-2026-7870)
- IBM Security Bulletin (alternate link)
- IBM Fix Central: PTF SJ09688
- Vulners: IBM i Privilege Escalation Advisory
- CWE-427: Uncontrolled Search Path Element
- IBM Security Bulletin: CVE-2025-33122 (Advanced Job Scheduler)
- CVE-2025-33122 Detail (NVD)
- ZeroPath: IBM i SQL Services Privilege Escalation (CVE-2025-36367)
- SentinelOne: CVE-2025-2947 IBM i Privilege Escalation
- Silent Signal: IBM i Security Services
- IBM X-Force Threat Intelligence Index 2026
- Vigilance.fr: IBM i Privilege Escalation via Unqualified Library Call
- LANSA: Why is the AS400 Still in Demand in 2026?



