Skip to main content

IBM Db2 CVE-2026-6053

| EUVDEUVD-2026-32490 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-27 psirt@us.ibm.com GHSA-2j7q-r439-8qqq
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:19 vuln.today

DescriptionCVE.org

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a denial of service when a specially crafted query is run with range partitioned tables.

AnalysisAI

Denial of service in IBM Db2 11.5.x and 12.1.x allows a low-privileged local user to crash the database engine by executing a specially crafted query against range partitioned tables. The vulnerability stems from uncontrolled resource allocation (CWE-770) during query processing, resulting in complete availability loss with no impact to confidentiality or integrity. No public exploit code exists and this vulnerability has not been listed in the CISA KEV catalog at time of analysis.

Technical ContextAI

IBM Db2 is an enterprise relational database management system. Range partitioned tables are a storage and performance optimization feature that divides a table's data across physical partitions based on column value ranges. CWE-770 (Allocation of Resources Without Limits or Throttling) indicates the Db2 query engine fails to impose appropriate resource consumption limits when processing certain crafted queries against these partition structures - likely in the partition pruning or scan planning subsystem. Affected versions span two major release lines: Db2 11.5.0 through 11.5.9 and Db2 12.1.0 through 12.1.4. The local attack vector (AV:L) implies this is exercised via a database session rather than a network-exposed interface, consistent with SQL query execution requiring an established connection.

RemediationAI

Consult the IBM support advisory at https://www.ibm.com/support/pages/node/7273556 for patching guidance; no exact fixed version number was confirmed in the available intelligence, so patch version details should be obtained directly from IBM. As a compensating control where patching cannot be applied immediately, restrict database login privileges so that only trusted, vetted users can execute queries against databases that contain range partitioned tables - this directly addresses the PR:L prerequisite. Additionally, consider monitoring query execution logs for anomalous patterns targeting partitioned table scans. Revoking or tightly scoping EXECUTE and SELECT permissions on range-partitioned objects for low-trust user roles limits the attack surface with minimal operational disruption. Note that restricting query access may affect application functionality if application accounts hold low-privilege roles that legitimately query these tables.

Share

CVE-2026-6053 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy