Description
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic.
Published: 2026-04-30
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM Db2 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 for Linux, UNIX, and Windows can be exploited by an authenticated user who sends a specially crafted query containing multiple subqueries. The flaw arises from improper neutralization of special elements in the data query logic, which can force the database engine into an unhandled state and result in a denial of service. If triggered, the problem can halt the Db2 service, causing an instant loss of availability for all clients that depend on the database.

Affected Systems

The vulnerability affects IBM Db2 for Linux, UNIX, and Windows, including the Db2 Connect Server, across the specified version ranges. Specifically, any instance of Db2 11.5.0–11.5.9 or 12.1.0–12.1.4 that has not been upgraded to the fixed releases (11.5.9 or 12.1.4) remains at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score is not available. The vulnerability is not listed in CISA KEV. Exploitability requires an authenticated connection to Db2, so an attacker must have valid credentials. Once authenticated, the attacker can supply the crafted query, which is likely to exploit the flaw because the database does not properly neutralize the special elements; this can terminate or freeze the Db2 instance, producing a denial of service. Because the flaw is not remote but requires server access, the attack vector is limited to environments that can reach the database and where credentials are compromised or misconfigured.

Generated by OpenCVE AI on May 1, 2026 at 04:50 UTC.

Remediation

Vendor Solution

Customers running any vulnerable affected level of an affected Program, V11.5, and V12.1, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent level for each impacted release: V11.5.9, and V12.1.4. They can be applied to any affected level of the appropriate release to remediate this vulnerability. ReleaseFixed in mod packAPARDownload URLV11.5TBD https://www.ibm.com/support/pages/node/7087189 V12.1 TBD https://www.ibm.com/support/pages/node/7267513 IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

OpenCVE Recommended Actions

  • Apply the interim fix from IBM Fix Central for the appropriate release level (v11.5.9 or v12.1.4).
  • Restart the Db2 services after installing the fix to ensure the changes take effect.
  • Restrict query permissions or enforce access controls to limit the execution of complex multi‑subquery operations by non‑privileged users.

Generated by OpenCVE AI on May 1, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 18:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
CPEs cpe:2.3:a:ibm:db2:*:*:*:*:*:linux:*:*
cpe:2.3:a:ibm:db2:*:*:*:*:*:unix:*:*
cpe:2.3:a:ibm:db2:*:*:*:*:*:windows:*:*

Fri, 01 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 05:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-74

Thu, 30 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic.
Title IBM® Db2® is vulnerable to a denial of service with a specially crafted query involving multiple subqueries
First Time appeared Ibm
Ibm db2
CPEs cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:12.1.4:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm db2
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Ibm Db2
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-01T16:37:23.068Z

Reserved: 2026-01-28T21:49:07.049Z

Link: CVE-2026-1577

cve-icon Vulnrichment

Updated: 2026-05-01T16:37:17.864Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T22:16:25.017

Modified: 2026-05-01T17:52:08.720

Link: CVE-2026-1577

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:00:12Z

Weaknesses