Description
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic.
Published: 2026-04-30
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM Db2 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 on Linux, UNIX, and Windows allow an authenticated user to cause a denial of service by sending a specially crafted query containing multiple subqueries. The flaw results from improper neutralization of special elements in the data query logic, which can lead the database engine to become unresponsive and terminate the service.

Affected Systems

The vulnerability affects IBM Db2 for Linux, UNIX, and Windows, including the Db2 Connect Server, within the specified version ranges. Any instances of Db2 11.5.0–11.5.9 or 12.1.0–12.1.4 that have not been updated to the fixed releases (11.5.9 or 12.1.4) remain at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score is < 1%. The vulnerability is not listed in CISA KEV. Exploitation requires an authenticated connection to Db2. Once authenticated, the attacker can submit a crafted query; the improper neutralization of special elements can cause the database engine to become unresponsive, resulting in a denial of service. The attack vector is limited to environments that allow the attacker to connect to the database with valid credentials, so it requires either credential compromise or misconfiguration of access controls.

Generated by OpenCVE AI on May 10, 2026 at 15:23 UTC.

Remediation

Vendor Solution

Customers running any vulnerable affected level of an affected Program, V11.5, and V12.1, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent level for each impacted release: V11.5.9, and V12.1.4. They can be applied to any affected level of the appropriate release to remediate this vulnerability. ReleaseFixed in mod packAPARDownload URLV11.5TBD https://www.ibm.com/support/pages/node/7087189 V12.1 TBD https://www.ibm.com/support/pages/node/7267513 IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

OpenCVE Recommended Actions

  • Apply the interim fix from IBM Fix Central for the appropriate release level (v11.5.9 or v12.1.4).
  • Restart the Db2 services after installing the fix to ensure changes take effect.
  • Restrict query permissions or enforce access controls to limit the execution of complex multi‑subquery operations by non‑privileged users, thereby mitigating the logic flaw indicated by CWE‑20.

Generated by OpenCVE AI on May 10, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Sat, 02 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-74

Fri, 01 May 2026 18:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
CPEs cpe:2.3:a:ibm:db2:*:*:*:*:*:linux:*:*
cpe:2.3:a:ibm:db2:*:*:*:*:*:unix:*:*
cpe:2.3:a:ibm:db2:*:*:*:*:*:windows:*:*

Fri, 01 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 05:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-74

Thu, 30 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic.
Title IBM® Db2® is vulnerable to a denial of service with a specially crafted query involving multiple subqueries
First Time appeared Ibm
Ibm db2
CPEs cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:12.1.4:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm db2
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Ibm Db2
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-10T13:21:48.830Z

Reserved: 2026-01-28T21:49:07.049Z

Link: CVE-2026-1577

cve-icon Vulnrichment

Updated: 2026-05-01T16:37:17.864Z

cve-icon NVD

Status : Modified

Published: 2026-04-30T22:16:25.017

Modified: 2026-05-10T14:16:46.437

Link: CVE-2026-1577

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T15:30:14Z

Weaknesses