Description
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a denial of service when executing a specially crafted query with a small statement heap.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 can crash when a query is run against a statement heap that is too small. The vulnerability is classed as an improper resource management flaw (CWE-400). When triggered, the database engine does not return a clean error but instead terminates the session or the database instance, making the service unavailable to legitimate users.

Affected Systems

All IBM Db2 installations in the affected ranges of release 11.5 and 12.1, regardless of sub‑level, are impacted. The latest fixed builds are 11.5.9 and 12.1.4, which include an interim fix that can be applied to older levels of the same release via special builds from IBM Fix Central.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity. No EPSS score is publicly listed, so the current exploitation likelihood is unknown. The issue is not listed in the CISA KEV catalog. The attack likely requires the ability to submit a specially crafted SQL statement to the database; whoever has query access, whether internal or external, could trigger the crash. No lateral movement or privilege escalation is implied; the effect is mainly service denial.

Generated by OpenCVE AI on May 27, 2026 at 17:49 UTC.

Remediation

Vendor Solution

Customers running any vulnerable affected level of an affected Program, V11.5, and V12.1, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent level for each impacted release: V11.5.9, and V12.1.4. They can be applied to any affected level of the appropriate release to remediate this vulnerability. ReleaseFixed in mod packAPARDownload URLV11.5TBD https://www.ibm.com/support/pages/node/7087189 V12.1 TBD https://www.ibm.com/support/pages/node/7267513 IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

Vendor Workaround

1) Increase statement heap by setting larger STMTHEAP. or 2) Reduce optimization level to 0. The user can append a optimizer guideline to the query: <query> /* <OPTGUIDELINES>   <QRYOPT VALUE='0'/> </OPTGUIDELINES> */

OpenCVE Recommended Actions

  • Apply the IBM Fix Central interim build (v11.5.9 for 11.5 or v12.1.4 for 12.1) to patch the database system
  • If a patch cannot be applied immediately, increase the statement heap allocation by setting a larger STMTHEAP value in the Db2 configuration
  • As a temporary workaround, modify queries to run with optimizer level zero using the guideline comment syntax: /*<OPTGUIDELINES><QRYOPT VALUE='0'/>*/

Generated by OpenCVE AI on May 27, 2026 at 17:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Ibm aix
Ibm linux On Ibm Z
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:ibm:db2:*:*:*:*:-:*:*:*
cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:linux_on_ibm_z:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Ibm aix
Ibm linux On Ibm Z
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Wed, 27 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a denial of service when executing a specially crafted query with a small statement heap.
Title IBM® Db2® is vulnerable to a denial of service when executing a specially crafted query with a small statement heap
First Time appeared Ibm
Ibm db2
Weaknesses CWE-400
CPEs cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:12.1.4:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm db2
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Ibm Aix Db2 Linux On Ibm Z
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-27T14:41:58.407Z

Reserved: 2026-04-09T21:45:54.618Z

Link: CVE-2026-6051

cve-icon Vulnrichment

Updated: 2026-05-27T14:41:53.795Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:34.370

Modified: 2026-05-28T15:55:06.300

Link: CVE-2026-6051

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T01:15:03Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption