Skip to main content

IBM Db2 CVE-2026-9762

| EUVDEUVD-2026-45234 HIGH
Code Injection (CWE-94)
2026-07-17 ibm
7.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (ibm) PRIMARY
HIGH
qualitative
NVD
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Attacker needs local access and low privileges to influence the JDBC URL (AV:L, PR:L); injection is straightforward (AC:L) and code execution yields full C/I/A impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (ibm).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 18:15 vuln.today
CVE Published
Jul 17, 2026 - 17:25 cve.org
HIGH 7.8

DescriptionNVD

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to remote code execution when jdbc url is under user control.

AnalysisAI

Code injection leading to remote code execution affects IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 when an attacker can influence the JDBC connection URL passed to the driver. An attacker who controls the JDBC URL (typically via an application that builds connection strings from user input) can inject malicious properties or references that cause arbitrary code to execute in the context of the connecting application/driver host. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain low-privilege access to app/host
Delivery
Supply crafted JDBC URL to driver
Exploit
Inject malicious URL properties (CWE-94)
Execution
Db2 driver resolves and loads code
Impact
Execute arbitrary code in app context

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker control, or be able to influence, the JDBC connection URL that is handed to the IBM Db2 driver - for example an application, admin console, or configuration path that builds connection strings from user-supplied values. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 3.1 score is 7.8 (High) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - local attack vector, low complexity, low privileges required, no user interaction, and full confidentiality/integrity/availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application allows a user or lower-privileged operator to influence part of a Db2 JDBC connection string (for example a data-source parameter or a 'test connection' feature). The attacker supplies a crafted JDBC URL containing malicious properties that the Db2 driver resolves at connect time, causing arbitrary code to execute with the privileges of the application process. …
Remediation Patch available per vendor advisory - apply the IBM-provided fix pack or iFix documented at https://www.ibm.com/support/pages/node/7279479 for the appropriate Db2 line (11.5.x or 12.1.x); the exact fixed version was not enumerated in the provided data, so consult that advisory for the precise level. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Db2 deployments running versions 11.5.0-11.5.9 or 12.1.0-12.1.4 and audit which applications construct JDBC connection strings from external input, application configuration files, or admin panels. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Db2

View all
CVE-2012-4826 HIGH
8.5 Oct 20

Stack-based buffer overflow in the SQL/PSM (aka SQL Persistent Stored Module) Stored Procedure (SP) infrastructure in IB

CVE-2017-1297 HIGH POC
7.3 Jun 27

IBM DB2 for Linux, UNIX and Windows 9.2, 10.1, 10.5, and 11.1 (includes DB2 Connect Server) is vulnerable to a stack-bas

CVE-2014-3094 HIGH
8.5 Sep 04

Stack-based buffer overflow in IBM DB2 9.7 through FP9a, 9.8 through FP5, 10.1 through FP4, and 10.5 before FP4 on Linux

CVE-2012-1797 CRITICAL
10.0 Mar 20

IBM DB2 9.5 uses world-writable permissions for nodes.reg, which has unspecified impact and attack vectors. Rated critic

CVE-2026-10109 CRITICAL
9.8 Jun 30

Remote code execution in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 lets unauthenticated network attackers run arbitrary co

CVE-2012-2197 HIGH
7.1 Jul 25

Stack-based buffer overflow in the Java Stored Procedure infrastructure in IBM DB2 9.1 before FP12, 9.5 through FP9, 9.7

CVE-2012-3324 CRITICAL
9.0 Sep 25

Directory traversal vulnerability in the UTL_FILE module in IBM DB2 and DB2 Connect 10.1 before FP1 on Windows allows re

CVE-2018-1426 CRITICAL
9.1 Mar 22

IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) duplicates the PRNG state across fork() system

CVE-2012-0711 HIGH
7.5 Mar 20

Integer signedness error in the db2dasrrm process in the DB2 Administration Server (DAS) in IBM DB2 9.1 through FP11, 9.

CVE-2013-6744 HIGH
8.5 May 30

The Stored Procedure infrastructure in IBM DB2 9.5, 9.7 before FP9a, 10.1 before FP3a, and 10.5 before FP3a on Windows a

CVE-2015-1935 HIGH
8.0 Jul 20

The scalar-function implementation in IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 through FP5 o

CVE-2023-27869 HIGH
8.8 Jul 10

IBM Db2 JDBC Driver for Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 could allow a remote authenticated attacker

Share

CVE-2026-9762 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy