Skip to main content

IBM Db2 CVE-2026-3676

| EUVDEUVD-2026-32280 MEDIUM
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-05-27 psirt@us.ibm.com GHSA-p4qj-fgm6-87w7
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 22:21 vuln.today
CVE Published
May 27, 2026 - 14:16 nvd
MEDIUM 6.5

DescriptionCVE.org

IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment.

AnalysisAI

Authenticated denial-of-service in IBM Db2 for Linux, UNIX, and Windows allows a low-privileged network user to crash database availability by submitting specially crafted data queries against the Fenced environment. The vulnerability affects IBM Cloud APM Base Private 8.1.4 and Advanced Private 8.1.4, which bundle Db2 as a backend component. No public exploit has been identified at time of analysis, and the CVSS score of 6.5 reflects meaningful but bounded risk due to the authentication prerequisite.

Technical ContextAI

IBM Db2's Fenced environment is an isolated process space used to execute user-defined functions (UDFs) and stored procedures in a sandboxed context, separating them from the core database engine for stability and security. The root cause is CWE-1284 (Improper Validation of Specified Quantity in Input), meaning the query processing logic in the Fenced environment fails to properly neutralize or validate special elements in input data - likely boundary values, escape sequences, or malformed quantity parameters - that can trigger resource exhaustion or process termination. Affected products per the EUVD entry are IBM Cloud APM Base Private 8.1.4 (up to and including Interim Fix 021) and IBM Cloud APM Advanced Private 8.1.4, both of which embed Db2 for Linux, UNIX, and Windows including DB2 Connect Server.

RemediationAI

The primary remediation is to apply the IBM-issued fix referenced in vendor advisory https://www.ibm.com/support/pages/node/7273649. The EUVD affected version notation 'Cloud APM, Base Private 8.1.4 ≤ Interim Fix 021' implies that a fix exists beyond Interim Fix 021 (i.e., Interim Fix 022 or later), but an exact patched version number is not independently confirmed from the available source data - consult the IBM advisory directly to obtain the precise fix package. As a compensating control prior to patching, restrict database access to the minimum required set of authenticated users, particularly limiting which accounts can submit arbitrary queries against the Fenced environment. Disabling or restricting UDF execution in the Fenced environment may reduce exposure but carries functional trade-offs for applications relying on fenced UDFs or stored procedures. Network-layer controls restricting Db2 listener port access (default TCP 50000) to trusted application hosts can reduce the attack surface without application impact.

Share

CVE-2026-3676 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy