Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment.
AnalysisAI
Authenticated denial-of-service in IBM Db2 for Linux, UNIX, and Windows allows a low-privileged network user to crash database availability by submitting specially crafted data queries against the Fenced environment. The vulnerability affects IBM Cloud APM Base Private 8.1.4 and Advanced Private 8.1.4, which bundle Db2 as a backend component. No public exploit has been identified at time of analysis, and the CVSS score of 6.5 reflects meaningful but bounded risk due to the authentication prerequisite.
Technical ContextAI
IBM Db2's Fenced environment is an isolated process space used to execute user-defined functions (UDFs) and stored procedures in a sandboxed context, separating them from the core database engine for stability and security. The root cause is CWE-1284 (Improper Validation of Specified Quantity in Input), meaning the query processing logic in the Fenced environment fails to properly neutralize or validate special elements in input data - likely boundary values, escape sequences, or malformed quantity parameters - that can trigger resource exhaustion or process termination. Affected products per the EUVD entry are IBM Cloud APM Base Private 8.1.4 (up to and including Interim Fix 021) and IBM Cloud APM Advanced Private 8.1.4, both of which embed Db2 for Linux, UNIX, and Windows including DB2 Connect Server.
RemediationAI
The primary remediation is to apply the IBM-issued fix referenced in vendor advisory https://www.ibm.com/support/pages/node/7273649. The EUVD affected version notation 'Cloud APM, Base Private 8.1.4 ≤ Interim Fix 021' implies that a fix exists beyond Interim Fix 021 (i.e., Interim Fix 022 or later), but an exact patched version number is not independently confirmed from the available source data - consult the IBM advisory directly to obtain the precise fix package. As a compensating control prior to patching, restrict database access to the minimum required set of authenticated users, particularly limiting which accounts can submit arbitrary queries against the Fenced environment. Disabling or restricting UDF execution in the Fenced environment may reduce exposure but carries functional trade-offs for applications relying on fenced UDFs or stored procedures. Network-layer controls restricting Db2 listener port access (default TCP 50000) to trusted application hosts can reduce the attack surface without application impact.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32280
GHSA-p4qj-fgm6-87w7