Description
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of XMLTable-derived columns.
Published: 2026-06-30
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user can trigger a denial of service by exploiting improper neutralization of special elements in the data query logic of XMLTable-derived columns within IBM Db2. The flaw occurs when the system processes XMLTable expressions containing special elements, which can cause the database to become unresponsive. The weakness is classified as CWE‑1284 (Improper Neutralization of Special Elements in Data Query Logic).

Affected Systems

IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 on Linux, UNIX and Windows, including Db2 Connect Server, are affected.

Risk and Exploitability

The CVSS score of 6.5 denotes moderate severity. EPSS information is unavailable, and the vulnerability is not listed in CISA KEV, indicating no publicly known exploitation. The likely attack vector requires an authenticated user with the ability to execute queries that reference XMLTable columns. If used maliciously, the attacker can cause service interruption but requires valid DB2 credentials.

Generated by OpenCVE AI on June 30, 2026 at 21:25 UTC.

Remediation

Vendor Solution

Customers running any vulnerable affected level of an affected Program, V11.5, and V12.1, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent level for each impacted release:V11.5.9, and V12.1.4. They can be applied to any affected level of the appropriate release to remediate this vulnerability. ReleaseFixed in mod packAPARDownload URLV11.5TBD https://www.ibm.com/support/pages/node/7087189 V12.1 TBD https://www.ibm.com/support/pages/node/7267513 IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.


OpenCVE Recommended Actions

  • Obtain and install the interim fix build for your Db2 release from Fix Central as outlined by IBM.
  • Restart Db2 services after installation to ensure the new build is loaded.
  • Continue to monitor system logs for abnormal behavior and plan an upgrade to the fully patched release when it becomes available.

Generated by OpenCVE AI on June 30, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of XMLTable-derived columns.
Title IBM® Db2® federated server is vulnerable to a denial of service due to improper neutralization of special elements in the data query logic of XMLTable-derived columns by autheticated user
First Time appeared Ibm
Ibm db2
Weaknesses CWE-1284
CPEs cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:12.1.4:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm db2
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-30T19:42:08.459Z

Reserved: 2026-06-10T16:11:41.935Z

Link: CVE-2026-11906

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T21:30:17Z

Weaknesses
  • CWE-1284

    Improper Validation of Specified Quantity in Input