Description
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic.
Published: 2026-04-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via improper neutralization of query elements
Action: Apply Patch
AI Analysis

Impact

IBM Db2 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 allow an authenticated user to trigger a denial of service by exploiting a flaw in the neutralization of special elements in data query logic. The vulnerability can produce a trap or return SQLCODE -901 when compiling a specially crafted query that contains a defined index, leading to database hiccups or crashes. The impact is the temporary unavailability of the database to all users while the service recovers.

Affected Systems

The affected products are IBM Db2 for Linux, UNIX and Windows, including Db2 Connect Server. Vulnerable versions include all releases from Db2 11.5.0 to 11.5.9 and from Db2 12.1.0 to 12.1.4. Only systems with these releases are at risk, regardless of the operating system platform.

Risk and Exploitability

The CVSS score of 6.5 classifies this as a moderate severity vulnerability, and the EPSS score of less than 1% indicates a low probability of exploitation. The flaw is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with sufficient privileges to create and run a specially crafted query that specifies a defined index. Successful exploitation results in a denial of service that affects all users connected to the impacted Db2 instance.

Generated by OpenCVE AI on April 28, 2026 at 20:39 UTC.

Remediation

Vendor Solution

Customers running any vulnerable affected level of an affected Program, V11.5, and V12.1, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent level for each impacted release: V11.5.9, and V12.1.4. They can be applied to any affected level of the appropriate release to remediate this vulnerability. ReleaseFixed in mod packAPARDownload URLV11.5TBD https://www.ibm.com/support/pages/node/7087189 V12.1 TBD https://www.ibm.com/support/pages/node/7267513 IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

Vendor Workaround

Set the following registry variable to avoid SORT operations that are used for some JOIN optimization techniques: db2set -im DB2_REDUCED_OPTIMIZATION="NO_SORT_NLJOIN,NO_SORT_MGJOIN"

OpenCVE Recommended Actions

  • Download and install the interim fix from IBM Fix Central for V11.5.9 or V12.1.4 to resolve the query logic flaw.
  • Restart all affected Db2 database instances to ensure the patch and configuration changes take effect.
  • If immediate patch application is not possible, temporarily set the DB2_REDUCED_OPTIMIZATION variable to "NO_SORT_NLJOIN,NO_SORT_MGJOIN" using db2set -im DB2_REDUCED_OPTIMIZATION='NO_SORT_NLJOIN,NO_SORT_MGJOIN' to avoid the vulnerable sort operations.

Generated by OpenCVE AI on April 28, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:db2:*:*:*:*:*:linux:*:*
cpe:2.3:a:ibm:db2:*:*:*:*:*:unix:*:*
cpe:2.3:a:ibm:db2:*:*:*:*:*:windows:*:*

Thu, 23 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic.
Title IBM® Db2® is vulnerable to a trap or return SQLCODE -901 when compiling a specially crafted query with a defined index
First Time appeared Ibm
Ibm db2
Weaknesses CWE-1284
CPEs cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:12.1.4:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm db2
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Ibm Db2
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-04-23T13:57:34.912Z

Reserved: 2026-01-22T17:35:12.277Z

Link: CVE-2026-1352

cve-icon Vulnrichment

Updated: 2026-04-23T13:57:31.531Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T00:16:44.753

Modified: 2026-04-27T18:22:20.420

Link: CVE-2026-1352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:45:16Z

Weaknesses