Skip to main content

IBM Db2 CVE-2026-1577

| EUVDEUVD-2026-26439 MEDIUM
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-04-30 ibm
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 30, 2026 - 22:15 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 22:00 euvd
EUVD-2026-26439
Analysis Generated
Apr 30, 2026 - 22:00 vuln.today
Patch released
Apr 30, 2026 - 22:00 nvd
Patch available
CVE Published
Apr 30, 2026 - 21:49 nvd
MEDIUM 6.5

DescriptionCVE.org

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic.

AnalysisAI

Denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 allows authenticated users to crash the database server via improper neutralization of special elements in query logic. An attacker with valid database credentials can trigger the vulnerability remotely without user interaction, resulting in service unavailability. No active exploitation has been confirmed at time of analysis.

Technical ContextAI

The vulnerability stems from insufficient input validation in Db2's SQL query parser, specifically in the handling of special characters or malformed query elements (CWE category: improper neutralization). The affected versions span Db2 11.5.x and 12.1.x releases across Linux, UNIX, and Windows platforms, including Db2 Connect Server deployments. The network-accessible attack vector combined with low attack complexity suggests the flaw is triggered through standard database protocol interactions (e.g., SQL over TCP/IP) without requiring complex exploitation techniques.

RemediationAI

Upgrade to IBM Db2 11.5.10 or later for 11.5.x branch, or to 12.1.5 or later for 12.1.x branch. For Db2 Connect Server, apply the corresponding patched version. Until patching is possible, restrict database user privileges using role-based access control (RBAC) to limit connections to trusted application accounts; audit and monitor for users with unnecessary CONNECT or DBADM privileges. Additionally, implement database firewall rules to permit connections only from approved application servers, reducing the pool of potential attackers with valid credentials. Note: access restrictions reduce exploitability but do not remediate the underlying flaw. See IBM advisory at https://www.ibm.com/support/pages/node/7269434 for platform-specific patch links.

Share

CVE-2026-1577 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy