Skip to main content

IBM Db2 CVE-2026-1352

| EUVDEUVD-2026-25125 MEDIUM
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-04-23 psirt@us.ibm.com GHSA-chwf-7mw9-8249
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Apr 23, 2026 - 07:02 vuln.today
EUVD ID Assigned
Apr 23, 2026 - 00:22 euvd
EUVD-2026-25125
Analysis Generated
Apr 23, 2026 - 00:22 vuln.today
CVE Published
Apr 23, 2026 - 00:16 nvd
MEDIUM 6.5

DescriptionCVE.org

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic.

AnalysisAI

Authenticated users can trigger a denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 for Linux, UNIX, and Windows through improper neutralization of special elements in database query logic, causing service unavailability without requiring user interaction or special configuration. The vulnerability affects both standalone Db2 instances and Db2 Connect Server deployments, with CVSS 6.5 reflecting network accessibility and authenticated access requirements. No public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

The vulnerability stems from CWE-1284 (Improper Neutralization of Data Query Logic Elements), which typically involves insufficient input validation or sanitization of query parameters that allows attackers to manipulate database query execution. In Db2's context, this suggests that certain special characters or sequences in SQL queries are not properly escaped or filtered before being processed by the query engine, enabling authenticated users to craft malicious queries that consume excessive resources, lock tables, or trigger internal errors leading to service crash or hang. The issue affects both the database engine itself and Db2 Connect Server, which acts as a middleware for connecting client applications to Db2 instances.

RemediationAI

IBM has released patched versions to address this vulnerability; users should upgrade to Db2 11.5.10 or later for the 11.5.x line, or Db2 12.1.5 or later for the 12.1.x line. Both patched versions are available from IBM's support portal (https://www.ibm.com/support/pages/node/7269433). In environments where immediate patching is not feasible, implement database access controls restricting query execution privileges to trusted applications and service accounts only; review and revoke unnecessary database user accounts, particularly those with ALTER, CREATE, or DDL permissions. Configure database connection pooling to include query timeout parameters, limiting the execution window for potentially malicious queries-this does not prevent the attack but reduces impact duration. Monitor query logs for unusual patterns such as excessive sequential table locks, repeated failed query parsing, or abnormal resource consumption spikes, using existing Db2 audit facilities (db2audit, Event Monitor). Note that these compensating controls do not eliminate the vulnerability and should be considered temporary measures pending patch deployment.

Share

CVE-2026-1352 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy