Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic.
AnalysisAI
Authenticated users can trigger a denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 for Linux, UNIX, and Windows through improper neutralization of special elements in database query logic, causing service unavailability without requiring user interaction or special configuration. The vulnerability affects both standalone Db2 instances and Db2 Connect Server deployments, with CVSS 6.5 reflecting network accessibility and authenticated access requirements. No public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
The vulnerability stems from CWE-1284 (Improper Neutralization of Data Query Logic Elements), which typically involves insufficient input validation or sanitization of query parameters that allows attackers to manipulate database query execution. In Db2's context, this suggests that certain special characters or sequences in SQL queries are not properly escaped or filtered before being processed by the query engine, enabling authenticated users to craft malicious queries that consume excessive resources, lock tables, or trigger internal errors leading to service crash or hang. The issue affects both the database engine itself and Db2 Connect Server, which acts as a middleware for connecting client applications to Db2 instances.
RemediationAI
IBM has released patched versions to address this vulnerability; users should upgrade to Db2 11.5.10 or later for the 11.5.x line, or Db2 12.1.5 or later for the 12.1.x line. Both patched versions are available from IBM's support portal (https://www.ibm.com/support/pages/node/7269433). In environments where immediate patching is not feasible, implement database access controls restricting query execution privileges to trusted applications and service accounts only; review and revoke unnecessary database user accounts, particularly those with ALTER, CREATE, or DDL permissions. Configure database connection pooling to include query timeout parameters, limiting the execution window for potentially malicious queries-this does not prevent the attack but reduces impact duration. Monitor query logs for unusual patterns such as excessive sequential table locks, repeated failed query parsing, or abnormal resource consumption spikes, using existing Db2 audit facilities (db2audit, Event Monitor). Note that these compensating controls do not eliminate the vulnerability and should be considered temporary measures pending patch deployment.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25125
GHSA-chwf-7mw9-8249