Description
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service using a specially crafted SQL query due to improper allocation of system resources.
Published: 2026-04-30
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in IBM Db2 allows an authenticated user to trigger a denial of service by submitting a specially crafted SQL query when the stmtheap configuration is automatic. The vulnerability stems from improper allocation of system resources, leading to resource exhaustion and service interruption. The weakness is characterized as unchecked resource consumption (CWE‑770).

Affected Systems

IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 on Linux, UNIX, and Windows systems, including DB2 Connect Server, are affected.

Risk and Exploitability

The CVSS score is 6.5, indicating a medium impact. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires valid DB2 credentials; a local attacker with authentication privileges can craft the query to exhaust resources. IBM mitigations involve installing the special build interim fix and enabling DB2_STRICT_INSTANCE_MEMORY=ON to restrict instance memory usage.

Generated by OpenCVE AI on May 1, 2026 at 04:50 UTC.

Remediation

Vendor Solution

Customers running any vulnerable affected level of an affected Program, V11.5, and V12.1, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent level for each impacted release: V11.5.9. They can be applied to any affected level of the appropriate release to remediate this vulnerability. ReleaseFixed in mod packAPARDownload URLV11.5TBD https://www.ibm.com/support/pages/node/7087189 V12.1 V12.1.4 https://www.ibm.com/support/pages/node/7267513 Note: To apply this fix, it is required to set DB2_STRICT_INSTANCE_MEMORY=ON in addition to installing the above Special Build. IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

Vendor Workaround

set dbm cfg instance_memory to a fixed value

OpenCVE Recommended Actions

  • Download and install the special build interim fix for the affected DB2 release from IBM Fix Central.
  • Set DB2_STRICT_INSTANCE_MEMORY=ON to enable strict instance memory limits after applying the patch.
  • Use the workaround of configuring dbm cfg instance_memory to a fixed value to prevent automatic heap adjustments.

Generated by OpenCVE AI on May 1, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:db2:*:*:*:*:*:linux:*:*
cpe:2.3:a:ibm:db2:*:*:*:*:*:unix:*:*
cpe:2.3:a:ibm:db2:*:*:*:*:*:windows:*:*

Fri, 01 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service using a specially crafted SQL query due to improper allocation of system resources.
Title IBM® Db2® is vulnerable to a denial of service with a specially crafted query when stmtheap is set to automatic
First Time appeared Ibm
Ibm db2
Weaknesses CWE-770
CPEs cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:12.1.3:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm db2
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Ibm Db2
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-01T14:24:18.769Z

Reserved: 2025-04-15T21:16:18.171Z

Link: CVE-2025-36122

cve-icon Vulnrichment

Updated: 2026-05-01T14:24:15.301Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T22:16:24.597

Modified: 2026-05-01T17:52:18.300

Link: CVE-2025-36122

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:00:12Z

Weaknesses