ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-7870 — IBM i Privilege Escalation via Unqualified Library Call Affects All Supported Releases

A short review of CVE-2026-7870, a high severity privilege escalation in IBM i caused by unqualified library calls. Patch information and affected version details are included.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-11

Brief Summary: CVE-2026-7870 — IBM i Privilege Escalation via Unqualified Library Call Affects All Supported Releases
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A low privilege user on any supported release of IBM i can escalate to full administrator control by exploiting how the operating system resolves library references, and IBM says there are no workarounds available. CVE-2026-7870 is the third unqualified library call privilege escalation disclosed on IBM i in roughly one year, turning what might look like a one off bug into a systemic weakness class affecting an estimated 120,000 enterprise installations worldwide.

IBM i (formerly OS/400, running on IBM Power Systems) is the backbone of mission critical operations in finance, manufacturing, healthcare, and retail. The platform holds approximately 35.59% market share in its technology category and remains in demand in 2026 for its integrated database, object based architecture, and reliability. A privilege escalation vulnerability on these systems carries outsized business risk because the data they process is typically among an organization's most sensitive.

Technical Information

Root Cause: Unqualified Library Calls and CWE-427

CVE-2026-7870 is classified under CWE-427: Uncontrolled Search Path Element. The vulnerability exists in the IBM i base operating system, specifically within the 5770-SS1 licensed program. The root cause is straightforward: certain programs within the OS reference library objects by name alone, without specifying the fully qualified library path.

On IBM i, object resolution works through a library list, an ordered sequence of libraries that the system searches when a program calls an object without qualifying it. This is architecturally similar to the PATH environment variable on Unix/Windows systems, the DLL search order on Windows, or LD_PRELOAD on Linux. When a program calls MYSRVPGM instead of MYLIB/MYSRVPGM, the system walks the library list from top to bottom and loads the first object it finds with that name.

The CVSS 3.1 vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 8.8. The breakdown:

CVSS ComponentValueMeaning
Attack Vector (AV)NetworkExploitable remotely over the network
Attack Complexity (AC)LowNo specialized conditions required
Privileges Required (PR)LowAttacker needs basic user level access
User Interaction (UI)NoneNo victim interaction needed
Scope (S)UnchangedImpact confined to the vulnerable component
Confidentiality (C)HighTotal information disclosure
Integrity (I)HighTotal system integrity compromise
Availability (A)HighTotal system availability disruption

Attack Flow

The exploitation follows a well understood pattern for library list hijacking on IBM i:

  1. Reconnaissance: The attacker identifies a program in the IBM i base operating system that makes an unqualified library call for a service program or other object. Because the vulnerable code is in the OS itself (5770-SS1), the attacker does not need to find a custom application flaw; the target is a system level program.

  2. Malicious object placement: The attacker compiles or restores a malicious program object with the same name as the legitimate target into a library that appears earlier in the job's library list. This requires only basic user level access with compile or restore capability.

  3. Triggering the unqualified call: When the vulnerable system program executes and makes the unqualified call, the IBM i resolver traverses the library list and finds the attacker's malicious object first.

  4. Privilege escalation: The malicious code executes with the authority of the calling program. Because the calling program in this case operates with administrator privilege, the attacker's code inherits that authority. The result is full administrative control: unrestricted ability to read, modify, or destroy data and disrupt operations.

The network attack vector (AV:N) combined with low attack complexity and low privilege requirements means that any authenticated user with network access to the IBM i system and the ability to compile or restore objects can exploit this vulnerability. No social engineering or additional specialized conditions are required.

Why This Matters Architecturally

The library list is a fundamental feature of IBM i, designed for flexibility and ease of development. It allows the same program to resolve to different library objects depending on the job's configuration, which is useful for testing, multi tenant environments, and version management. However, this flexibility becomes a security liability when system programs rely on unqualified references. The user controllable nature of the library list means that any unqualified call in a privileged program is a potential privilege escalation vector.

The fact that multiple PTFs were required per release (four to five per version) indicates the unqualified library call issue was present in several internal components across 5770-SS1, not just a single code path.

Patch Information

IBM published a formal security bulletin on June 9, 2026 addressing CVE-2026-7870. The bulletin explicitly states there are no workarounds or mitigations available. PTF application is the only remediation path.

The fix qualifies the previously unqualified library calls so that the system resolves them to the intended, known good library location rather than relying on the user controllable search path.

PTFs by Release

IBM i ReleasePTF Numbers
7.6SJ09689, SJ09666, SJ10017, SJ09859
7.5SJ09688, SJ09665, SJ09699, SJ10015, SJ09855
7.4SJ09690, SJ09664, SJ09701, SJ10028, SJ09851
7.3SJ09691, SJ09663, SJ10018, SJ09837

Multiple PTFs per release indicate the unqualified library call issue was present in several internal components across the 5770-SS1 product. IBM shipped distinct PTFs for each affected component rather than a single monolithic fix.

PTF Details

Examining PTF SJ09688 (for IBM i 7.5) as a representative example: it is categorized as an "OSP-INTERNAL SECURITY ENHANCEMENT" targeting the 5770-SS1 licensed program. It operates on the sy.xpf component and resolves internal known issue DT470876. The PTF was opened on May 13, 2026, carries no prerequisite or corequisite PTFs, and its status is listed as Closed COR (corrected), confirming the fix is finalized and available for download via IBM Fix Central.

The CVE record at cve.org also tags the IBM bulletin reference as both a "vendor-advisory" and "patch," providing independent confirmation of its remedial nature.

Defense in Depth (Not a Substitute for Patching)

While no official workaround exists, MITRE's CWE-427 guidance recommends general measures that can reduce exposure to this class of vulnerability:

  • Use fully qualified library references in all application code (e.g., MYLIB/MYSRVPGM rather than just MYSRVPGM)
  • Restrict library list modifications to prevent low privilege users from placing libraries ahead of system libraries in the search path
  • Limit compile and restore authority by restricting CRTxxx and RSTxxx command authorities, reducing the ability of low privilege users to place malicious objects on the system

These measures reduce the attack surface for future variants but do not address CVE-2026-7870 itself. Only the PTFs resolve the vulnerability in the OS code.

Affected Systems and Versions

All currently supported releases of IBM i running the 5770-SS1 licensed program (the core operating system) are affected:

  • IBM i 7.6
  • IBM i 7.5
  • IBM i 7.4
  • IBM i 7.3

This covers virtually the entire supported install base. IBM advises that unsupported or end of support installations should upgrade to a supported and fixed version, as PTFs are not produced for unsupported releases.

Vendor Security History

CVE-2026-7870 is not an isolated finding. It is the latest in a recurring pattern of unqualified library call privilege escalation vulnerabilities on IBM i:

CVEComponentCVSSPublishedDescription
CVE-2026-7870IBM i (base OS)8.8Jun 2026Unqualified library call in base OS allows admin privilege escalation
CVE-2025-33122IBM Advanced Job Scheduler for i8.8Jun 2025Unqualified library call allows user with compile/restore capability to gain elevated privileges
CVE-2025-36367IBM i SQL Services9.8Nov 2025Privilege escalation in SQL services affecting versions 7.2 through 7.6
CVE-2026-2311IBM i Web Administration GUI7.1Apr 2026Invalid authorization check allows privilege escalation

Three separate unqualified library call vulnerabilities in approximately one year, all sharing the same CWE-427 root cause, all enabling administrator level privilege escalation. This pattern indicates a systemic code quality issue in IBM i development where library references are not consistently qualified with explicit library names.

Security research firms including Silent Signal and ZeroPath have published multiple IBM i vulnerability disclosures, demonstrating that the platform is receiving increasing scrutiny from the security research community.

The strategic implication for organizations with IBM i systems extends beyond this single CVE: a code audit for all unqualified library calls across custom and vendor applications is warranted. Each unqualified reference in a privileged program represents a potential future vulnerability. Proactive qualification of library references and restriction of compile/restore authorities for low privilege users can reduce the attack surface before the next variant is disclosed.

The IBM X-Force Threat Intelligence Index 2026 adds further context, reporting a 44% increase in attacks exploiting public facing applications, driven by missing authentication controls and AI enabled vulnerability discovery. Privilege escalation flaws like CVE-2026-7870 are precisely the type of vulnerability that attackers are accelerating their efforts to find and exploit.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization