Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a denial of service when a specially crafted query is run with range partitioned tables.
AnalysisAI
Denial of service in IBM Db2 11.5.x and 12.1.x allows a low-privileged local user to crash the database engine by executing a specially crafted query against range partitioned tables. The vulnerability stems from uncontrolled resource allocation (CWE-770) during query processing, resulting in complete availability loss with no impact to confidentiality or integrity. No public exploit code exists and this vulnerability has not been listed in the CISA KEV catalog at time of analysis.
Technical ContextAI
IBM Db2 is an enterprise relational database management system. Range partitioned tables are a storage and performance optimization feature that divides a table's data across physical partitions based on column value ranges. CWE-770 (Allocation of Resources Without Limits or Throttling) indicates the Db2 query engine fails to impose appropriate resource consumption limits when processing certain crafted queries against these partition structures - likely in the partition pruning or scan planning subsystem. Affected versions span two major release lines: Db2 11.5.0 through 11.5.9 and Db2 12.1.0 through 12.1.4. The local attack vector (AV:L) implies this is exercised via a database session rather than a network-exposed interface, consistent with SQL query execution requiring an established connection.
RemediationAI
Consult the IBM support advisory at https://www.ibm.com/support/pages/node/7273556 for patching guidance; no exact fixed version number was confirmed in the available intelligence, so patch version details should be obtained directly from IBM. As a compensating control where patching cannot be applied immediately, restrict database login privileges so that only trusted, vetted users can execute queries against databases that contain range partitioned tables - this directly addresses the PR:L prerequisite. Additionally, consider monitoring query execution logs for anomalous patterns targeting partitioned table scans. Revoking or tightly scoping EXECUTE and SELECT permissions on range-partitioned objects for low-trust user roles limits the attack surface with minimal operational disruption. Note that restricting query access may affect application functionality if application accounts hold low-privilege roles that legitimately query these tables.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32490
GHSA-2j7q-r439-8qqq