Skip to main content

IBM Db2 CVE-2026-1718

| EUVDEUVD-2026-32266 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-27 psirt@us.ibm.com GHSA-5xr2-xxr9-mq26
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:58 vuln.today

DescriptionCVE.org

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a denial of service with a specially crafted query when autonomous transactions are enabled.

AnalysisAI

Denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 allows an authenticated database user to crash or exhaust the database engine by submitting a specially crafted query when the autonomous transactions feature is enabled. The flaw (CWE-770, uncontrolled resource allocation) carries a CVSS 7.1 with high availability impact but no confidentiality or integrity loss. There is no public exploit identified at time of analysis, and CISA SSVC rates exploitation as 'none', indicating no observed activity to date.

Technical ContextAI

IBM Db2 is a widely deployed relational database management system. This issue resides in Db2's autonomous transactions feature - a capability that lets a routine commit or roll back its own work independently of the calling transaction. The root cause is classified as CWE-770 (Allocation of Resources Without Limits or Throttling): a crafted query path through autonomous-transaction handling fails to bound the resources it consumes, letting a single request exhaust memory/processing capacity and degrade or halt the service. EUVD enumeration confirms the affected code spans both the 11.5.x and 12.1.x release trains; no CPE strings were included in the input, so exact platform-specific package identifiers could not be cross-referenced.

RemediationAI

Apply the fix described in IBM's advisory at https://www.ibm.com/support/pages/node/7273555; the input does not include an exact patched version, so this is patch available per vendor advisory - consult that note for the precise fix pack or interim fix matching your 11.5.x or 12.1.x level and verify the build before upgrading. As an immediate compensating control where patching must wait, disable the autonomous transactions feature, since the vulnerability is only reachable when it is enabled - with the trade-off that any application logic relying on autonomous commits/rollbacks will break, so validate with application owners first. Additionally, because exploitation requires valid low-privilege credentials over the network, restrict and audit database accounts, remove unused logins, and place the Db2 listener behind network controls so only trusted application tiers can reach it; these reduce exposure but do not remove the flaw for legitimate authenticated users.

Share

CVE-2026-1718 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy