Skip to main content

IBM Db2 CVE-2025-36122

| EUVDEUVD-2025-209601 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-30 ibm
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 30, 2026 - 22:15 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 22:00 euvd
EUVD-2025-209601
Analysis Generated
Apr 30, 2026 - 22:00 vuln.today
Patch released
Apr 30, 2026 - 22:00 nvd
Patch available
CVE Published
Apr 30, 2026 - 21:48 nvd
MEDIUM 6.5

DescriptionCVE.org

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service using a specially crafted SQL query due to improper allocation of system resources.

AnalysisAI

Denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.3 for Linux, UNIX, and Windows allows authenticated users to crash the database server by submitting a specially crafted SQL query that triggers improper system resource allocation. An attacker with valid database credentials can exhaust resources and render the database unavailable to legitimate users without leaving data corruption or unauthorized access. No public exploit code has been identified, though the vulnerability requires only valid authentication and a standard SQL interface.

Technical ContextAI

IBM Db2 is a relational database management system that allocates memory and processing resources to execute SQL queries. The vulnerability resides in the query execution engine's resource management subsystem, specifically in how it handles specially crafted SQL statements. CWE-770 (Allocation of Resources Without Limits or Throttling) indicates that the query parser or optimizer fails to enforce bounds on resource consumption for individual queries, allowing a single malformed or pathological SQL statement to monopolize CPU, memory, or I/O resources. This affects both standalone Db2 instances and Db2 Connect Server (the client-server connectivity layer), meaning both direct and remote database connections can trigger the condition. The vulnerability spans multiple major versions across three operating systems, suggesting a systemic flaw in core query processing logic rather than platform-specific code.

RemediationAI

Apply vendor-released patches immediately: upgrade Db2 11.5.x to version 11.5.10 or later, or upgrade Db2 12.1.x to version 12.1.4 or later. Patch details and download links are available at https://www.ibm.com/support/pages/node/7267642. As interim compensating controls pending patching, restrict database user accounts to the principle of least privilege-revoke unnecessary credentials from application service accounts and human users, implement connection-level query timeouts via Db2 configuration parameters (QUERY_TIMEOUT_INTERVAL) to automatically abort long-running queries, and monitor slow query logs for anomalous patterns indicative of resource-exhaustion attempts. Additionally, if Db2 is internet-facing, place it behind a network boundary or VPN and use database-level firewall rules to limit SQL access to trusted application IP ranges. These controls reduce the attacker population and provide detection windows but do not prevent exploitation by legitimate users with malicious intent; patching remains the definitive remediation.

Share

CVE-2025-36122 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy