Description
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to running out of memory when executing certain queries with MDC tables.
Published: 2026-05-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM Db2 databases from version 11.5.0 up through 11.5.9 and from 12.1.0 up through 12.1.4 can run out of memory when a query is executed against Multi‑Clustering‑Dimensional (MDC) tables. The excessive memory consumption is caused by the internal handling of these tables, which can lead to complete exhaustion of available system RAM and force the database or host operating system to become unresponsive. This flaw aligns with CWE‑400: Uncontrolled Resource Consumption, where improper allocation of resources results in denial of service. The direct result is a denial of service that could affect any application that relies on the affected Db2 instance. The likely attack vector is the execution of crafted queries against MDC tables, which an attacker could trigger remotely through an application interface or directly if they have SQL access.

Affected Systems

IBM Db2 is affected in the V11.5 release at levels 11.5.0 through 11.5.9 and in the V12.1 release at levels 12.1.0 through 12.1.4. IBM has released interim special builds, V11.5.9 for the 11.5 line and V12.1.4 for the 12.1 line, that address the memory exhaustion issue and can be applied to any earlier level within the same release.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and no EPSS score is currently available. The vulnerability is not listed in CISA's KEV catalog. Because the underlying issue is triggered by the execution of certain queries on MDC tables, an attacker would need the ability to submit those queries, either remotely through an application that interfaces with Db2 or locally with database privileges. If such access exists, the risk of a denial of service is high due to the complete consumption of system memory.

Generated by OpenCVE AI on May 27, 2026 at 20:01 UTC.

Remediation

Vendor Solution

Customers running any vulnerable affected level of an affected Program, V11.5, and V12.1, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent level for each impacted release: V11.5.9, and V12.1.4. They can be applied to any affected level of the appropriate release to remediate this vulnerability. ReleaseFixed in mod packAPARDownload URLV11.5TBD https://www.ibm.com/support/pages/node/7087189 V12.1 TBD https://www.ibm.com/support/pages/node/7267513 IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

Vendor Workaround

Do not use Multi-Clustering-Dimensional (MDC) tables

OpenCVE Recommended Actions

  • Apply the interim special build V11.5.9 for all 11.5.x releases or V12.1.4 for all 12.1.x releases to fix the CWE‑400 memory exhaustion flaw.
  • If a patch cannot be applied immediately, avoid the use of MDC tables by removing them or not creating new ones as a workaround, thereby mitigating the uncontrolled resource consumption identified by CWE‑400.
  • Configure database monitoring to trigger alerts when memory usage exceeds a safe threshold, and enforce limits on query complexity to mitigate the impact of future similar issues.

Generated by OpenCVE AI on May 27, 2026 at 20:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Ibm aix
Ibm linux On Ibm Z
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:ibm:db2:*:*:*:*:-:*:*:*
cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:linux_on_ibm_z:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Ibm aix
Ibm linux On Ibm Z
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to running out of memory when executing certain queries with MDC tables.
Title IBM® Db2® is vulnerable to running out of memory when executing certain queries with MDC tables
First Time appeared Ibm
Ibm db2
CPEs cpe:2.3:a:ibm:db2:11.5.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:11.5.9:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:db2:12.1.4:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm db2
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Ibm Aix Db2 Linux On Ibm Z
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-27T15:22:19.791Z

Reserved: 2026-04-09T22:08:53.174Z

Link: CVE-2026-6052

cve-icon Vulnrichment

Updated: 2026-05-27T15:21:13.164Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:34.513

Modified: 2026-05-28T15:51:31.187

Link: CVE-2026-6052

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T02:45:04Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption