Description
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic when certain configurations exist.
Published: 2026-04-30
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in IBM Db2 versions 11.5.x and 12.1.x allows an authenticated user to trigger a denial of service by causing improper neutralization of special elements in data query logic when certain configurations are present. This flaw can disrupt database operations, potentially rendering the database unavailable for legitimate users. The weakness is catalogued as CWE‑1284, indicating a flaw in neutralization of input during query processing.

Affected Systems

Affected are IBM Db2 on Linux, UNIX, and Windows, including the Db2 Connect Server, for product lines 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3. All installations of these releases that use the specified configuration are vulnerable. The specific affected configuration is the registry variable DB2_EXTENDED_OPTIMIZATION=NLJN_OFLOW.

Risk and Exploitability

The CVSS score of 5.3 reflects a moderate impact with limited impact on confidentiality or integrity, but with the potential to disrupt services. The EPSS score is not published, and the issue is not listed in the CISA KEV catalog, suggesting a lower likelihood of active exploitation in the wild. The vulnerability requires authenticated access and a particular configuration, implying a limited attacker scope. Attackers would need the ability to execute queries against the database, typically through legitimate credentials, making the vulnerability less attractive for widespread attacks but still relevant for environments with unmitigated configurations.

Generated by OpenCVE AI on May 1, 2026 at 04:51 UTC.

Remediation

Vendor Solution

Customers running any vulnerable affected level of an affected Program, V11.5, and V12.1, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent level for each impacted release: V11.5.9. They can be applied to any affected level of the appropriate release to remediate this vulnerability. ReleaseFixed in mod packAPARDownload URLV11.5TBD https://www.ibm.com/support/pages/node/7087189 V12.1 V12.1.4 https://www.ibm.com/support/pages/node/7267513 IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

Vendor Workaround

Remove registry variable DB2_EXTENDED_OPTIMIZATION=NLJN_OFLOW by: db2set -im DB2_EXTENDED_OPTIMIZATION=

OpenCVE Recommended Actions

  • Download the special build containing the interim fix for the affected Db2 release from IBM Fix Central and apply it to all affected levels.
  • For V12.1 users, use the release V12.1.4 from the provided download link.
  • As a temporary workaround, clear the registry variable DB2_EXTENDED_OPTIMIZATION=NLJN_OFLOW by running `db2set -im DB2_EXTENDED_OPTIMIZATION=`.

Generated by OpenCVE AI on May 1, 2026 at 04:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:db2:*:*:*:*:*:linux:*:*
cpe:2.3:a:ibm:db2:*:*:*:*:*:unix:*:*
cpe:2.3:a:ibm:db2:*:*:*:*:*:windows:*:*

Fri, 01 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic when certain configurations exist.
Title IBM® Db2® is vulnerable to a denial of service when fetching from certain tables under specific configurations
First Time appeared Ibm
Ibm db2
Weaknesses CWE-1284
CPEs cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:12.1.3:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm db2
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Ibm Db2
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-01T16:37:32.038Z

Reserved: 2025-12-14T03:20:30.962Z

Link: CVE-2025-14688

cve-icon Vulnrichment

Updated: 2026-05-01T16:37:26.871Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T22:16:24.093

Modified: 2026-05-01T17:52:29.293

Link: CVE-2025-14688

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:00:12Z

Weaknesses