Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a denial of service when executing a specially crafted query with a small statement heap.
AnalysisAI
Denial of service in IBM Db2 versions 11.5.0-11.5.9 and 12.1.0-12.1.4 allows a locally authenticated, low-privileged user to crash the database service by executing a specially crafted SQL query against an instance configured with a small statement heap. The vulnerability stems from uncontrolled resource consumption (CWE-400) during query processing, resulting in high availability impact with no confidentiality or integrity exposure. No public exploit code and no active exploitation have been identified at time of analysis; SSVC classifies exploitation status as none.
Technical ContextAI
IBM Db2 allocates a statement heap - a bounded memory region - during SQL query compilation and execution. CWE-400 (Uncontrolled Resource Consumption) indicates that the engine fails to properly bound or handle resource exhaustion when a crafted query is processed against a heap configured at a small size, allowing the query to exhaust available memory or internal structures and crash the service. Affected CPE targets are IBM Db2 11.5.0 through 11.5.9 and IBM Db2 12.1.0 through 12.1.4 across supported platforms. The flaw resides in the query engine's handling of heap sizing constraints rather than in any network-facing component, which explains the local attack vector. This class of vulnerability is common in database engines that rely on pre-allocated or administrator-tuned memory regions without sufficient runtime guards.
RemediationAI
Consult and apply the fix detailed in IBM's official security advisory at https://www.ibm.com/support/pages/node/7273558. Patch available per vendor advisory; however, an exact patched version number was not present in the available intelligence data - administrators must reference the IBM advisory directly to identify the precise fix pack or interim fix to apply. As a compensating control pending patching, restrict local database query execution rights to only trusted, necessary accounts, and review statement heap sizing configurations (STMTHEAP parameter) - increasing the statement heap size may reduce exploitability of this specific path, though this has not been confirmed as a full mitigation by IBM. Additionally, enforce the principle of least privilege on database accounts to reduce the pool of users who could trigger this condition. Monitoring for abnormal query patterns or repeated service crashes can provide early warning of exploitation attempts.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32488
GHSA-xfpq-g5f8-6gqr