Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic.
AnalysisAI
Denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 allows authenticated users to crash the database server via improper neutralization of special elements in query logic. An attacker with valid database credentials can trigger the vulnerability remotely without user interaction, resulting in service unavailability. No active exploitation has been confirmed at time of analysis.
Technical ContextAI
The vulnerability stems from insufficient input validation in Db2's SQL query parser, specifically in the handling of special characters or malformed query elements (CWE category: improper neutralization). The affected versions span Db2 11.5.x and 12.1.x releases across Linux, UNIX, and Windows platforms, including Db2 Connect Server deployments. The network-accessible attack vector combined with low attack complexity suggests the flaw is triggered through standard database protocol interactions (e.g., SQL over TCP/IP) without requiring complex exploitation techniques.
RemediationAI
Upgrade to IBM Db2 11.5.10 or later for 11.5.x branch, or to 12.1.5 or later for 12.1.x branch. For Db2 Connect Server, apply the corresponding patched version. Until patching is possible, restrict database user privileges using role-based access control (RBAC) to limit connections to trusted application accounts; audit and monitor for users with unnecessary CONNECT or DBADM privileges. Additionally, implement database firewall rules to permit connections only from approved application servers, reducing the pool of potential attackers with valid credentials. Note: access restrictions reduce exploitability but do not remediate the underlying flaw. See IBM advisory at https://www.ibm.com/support/pages/node/7269434 for platform-specific patch links.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26439