Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic when certain configurations exist.
AnalysisAI
Denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.3 allows authenticated users to crash the database server via improper neutralization of special elements in query logic when specific configurations are present. Attack requires valid database credentials and high attack complexity, limiting exploitation to insiders or users with legitimate access. Vendor has released patches addressing the underlying query parsing flaw.
Technical ContextAI
The vulnerability stems from CWE-1284 (Improper Neutralization of Data Query Logic Elements), a class of flaws where special characters or sequences in database queries are not properly sanitized before execution. In Db2's query processing engine, this allows authenticated users to craft malformed SQL statements or queries containing unescaped elements that trigger unhandled exceptions or resource exhaustion within the database parser or optimizer. The flaw manifests only under 'certain configurations' of Db2, indicating the vulnerability may require specific feature flags, connection parameters, or database initialization settings to be exploitable. The affected CPE covers Db2 instances across Linux, UNIX, and Windows platforms, including Db2 Connect Server (client connectivity layer).
RemediationAI
Vendor-released patch available: upgrade to IBM Db2 11.5.10 or later (11.5.x branch) or 12.1.4 or later (12.1.x branch). Consult IBM support page https://www.ibm.com/support/pages/node/7269424 for patch availability and download instructions specific to your platform. If immediate patching is not feasible, restrict database access to trusted application accounts and disable or reconfigure the specific Db2 feature settings that trigger the vulnerability - IBM's advisory should clarify which configuration options enable the flaw. Implement connection authentication policy requiring strong credentials and audit database connection logs for anomalous query patterns that may indicate exploitation attempts. Network segmentation to limit Db2 access to trusted hosts reduces the attack surface despite the network-accessible vector.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209600