CVE-2026-1718 - Vulnerability Details

- IBM® Db2® is vulnerable to a denial of service with a specially crafted query when running an AUTONOMOUS procedure

Description

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a denial of service with a specially crafted query when autonomous transactions are enabled.

Published: 2026-05-27

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

IBM Db2 versions 11.5.0 to 11.5.9 and 12.1.0 to 12.1.4 suffer a denial‑of‑service vulnerability that can be triggered by a specially crafted SQL query executed under an autonomous transaction. The flaw causes the database engine to exhaust resources, preventing normal query processing and potentially halting the database instance. The weakness corresponds to CWE-770—resource exhaustion. The impact is loss of availability for affected databases and services that rely on them.

Affected Systems

IBM Db2 for Linux, Unix, and Windows is affected by this vulnerability in all releases from 11.5.0 through 11.5.9 and from 12.1.0 through 12.1.4. The interim fix for these releases is contained in the special builds for 11.5.9 and 12.1.4, which can be applied to any earlier sub‑release within those major versions.

Risk and Exploitability

The CVSS v3.1 score of 7.1 indicates a high impact and medium exploitation difficulty. No EPSS score is currently available, and the vulnerability is not listed in the CISA KEV catalog. The exploit requires the ability to submit a crafted query to a Db2 instance with autonomous transactions enabled, which typically implies at least application‑level or database user privileges. In practice, this means that internal users or compromised credentials with such privileges could trigger a denial‑of‑service, stressing the importance of timely patching.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

IBM

Db2

affected

Version	Status	Constraints
`11.5.0`	affected	≤ 11.5.9
`12.1.0`	affected	≤ 12.1.4

No data.

Vendor Product Confidence Versions

Ibm

Db2

95%

Version	Status	Scheme	Platform
`[11.5.0,11.5.9]`	affected	semver	—
`[12.1.0,12.1.4]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Customers running any vulnerable affected level of an affected Program, V11.5, and V12.1, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent level for each impacted release: V11.5.9, and V12.1.4. They can be applied to any affected level of the appropriate release to remediate this vulnerability. ReleaseFixed in mod packAPARDownload URLV11.5TBD https://www.ibm.com/support/pages/node/7087189 V12.1 TBD https://www.ibm.com/support/pages/node/7267513 IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

Vendor Workaround

remove AUTONOMOUS from procedure define

OpenCVE Recommended Actions

Download and apply the special interim build for the specific release (11.5.9 for v11.5.x or 12.1.4 for v12.1.x) from IBM Fix Central.
As an interim workaround, remove the AUTONOMOUS keyword from any PROCEDURE definitions that currently use it.
Apply the patch or workaround before the next minor release to prevent denial‑of‑service failures.

Generated by OpenCVE AI on May 27, 2026 at 15:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.ibm.com/support/pages/node/7273555

History

Wed, 27 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a denial of service with a specially crafted query when autonomous transactions are enabled.
Title		IBM® Db2® is vulnerable to a denial of service with a specially crafted query when running an AUTONOMOUS procedure
First Time appeared		Ibm Ibm db2
Weaknesses		CWE-770
CPEs		cpe:2.3:a:ibm:db2:11.5.0:::::::* cpe:2.3:a:ibm:db2:11.5.9:::::::* cpe:2.3:a:ibm:db2:12.1.0:::::::* cpe:2.3:a:ibm:db2:12.1.4:::::::*
Vendors & Products		Ibm Ibm db2
References		https://www.ibm.com/support/pages/node/7273555
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H'}`

Subscriptions

Ibm Db2

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-05-27T12:18:40.738Z

Updated: 2026-05-27T15:00:16.607Z

Reserved: 2026-01-30T19:11:27.471Z

Link: CVE-2026-1718

Vulnrichment

Updated: 2026-05-27T14:59:28.102Z

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:16:43.883

Modified: 2026-05-27T14:53:51.833

Link: CVE-2026-1718

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T16:00:08Z

Weaknesses

CWE-770

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object