Skip to main content

IBM Db2 CVE-2025-14688

| EUVDEUVD-2025-209600 MEDIUM
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-04-30 ibm
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 30, 2026 - 22:15 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 22:00 euvd
EUVD-2025-209600
Analysis Generated
Apr 30, 2026 - 22:00 vuln.today
Patch released
Apr 30, 2026 - 22:00 nvd
Patch available
CVE Published
Apr 30, 2026 - 21:48 nvd
MEDIUM 5.3

DescriptionCVE.org

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic when certain configurations exist.

AnalysisAI

Denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.3 allows authenticated users to crash the database server via improper neutralization of special elements in query logic when specific configurations are present. Attack requires valid database credentials and high attack complexity, limiting exploitation to insiders or users with legitimate access. Vendor has released patches addressing the underlying query parsing flaw.

Technical ContextAI

The vulnerability stems from CWE-1284 (Improper Neutralization of Data Query Logic Elements), a class of flaws where special characters or sequences in database queries are not properly sanitized before execution. In Db2's query processing engine, this allows authenticated users to craft malformed SQL statements or queries containing unescaped elements that trigger unhandled exceptions or resource exhaustion within the database parser or optimizer. The flaw manifests only under 'certain configurations' of Db2, indicating the vulnerability may require specific feature flags, connection parameters, or database initialization settings to be exploitable. The affected CPE covers Db2 instances across Linux, UNIX, and Windows platforms, including Db2 Connect Server (client connectivity layer).

RemediationAI

Vendor-released patch available: upgrade to IBM Db2 11.5.10 or later (11.5.x branch) or 12.1.4 or later (12.1.x branch). Consult IBM support page https://www.ibm.com/support/pages/node/7269424 for patch availability and download instructions specific to your platform. If immediate patching is not feasible, restrict database access to trusted application accounts and disable or reconfigure the specific Db2 feature settings that trigger the vulnerability - IBM's advisory should clarify which configuration options enable the flaw. Implement connection authentication policy requiring strong credentials and audit database connection logs for anomalous query patterns that may indicate exploitation attempts. Network segmentation to limit Db2 access to trusted hosts reduces the attack surface despite the network-accessible vector.

Share

CVE-2025-14688 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy