Skip to main content

IBM Db2 EUVDEUVD-2026-32488

| CVE-2026-6051 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-05-27 psirt@us.ibm.com GHSA-xfpq-g5f8-6gqr
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:20 vuln.today

DescriptionCVE.org

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a denial of service when executing a specially crafted query with a small statement heap.

AnalysisAI

Denial of service in IBM Db2 versions 11.5.0-11.5.9 and 12.1.0-12.1.4 allows a locally authenticated, low-privileged user to crash the database service by executing a specially crafted SQL query against an instance configured with a small statement heap. The vulnerability stems from uncontrolled resource consumption (CWE-400) during query processing, resulting in high availability impact with no confidentiality or integrity exposure. No public exploit code and no active exploitation have been identified at time of analysis; SSVC classifies exploitation status as none.

Technical ContextAI

IBM Db2 allocates a statement heap - a bounded memory region - during SQL query compilation and execution. CWE-400 (Uncontrolled Resource Consumption) indicates that the engine fails to properly bound or handle resource exhaustion when a crafted query is processed against a heap configured at a small size, allowing the query to exhaust available memory or internal structures and crash the service. Affected CPE targets are IBM Db2 11.5.0 through 11.5.9 and IBM Db2 12.1.0 through 12.1.4 across supported platforms. The flaw resides in the query engine's handling of heap sizing constraints rather than in any network-facing component, which explains the local attack vector. This class of vulnerability is common in database engines that rely on pre-allocated or administrator-tuned memory regions without sufficient runtime guards.

RemediationAI

Consult and apply the fix detailed in IBM's official security advisory at https://www.ibm.com/support/pages/node/7273558. Patch available per vendor advisory; however, an exact patched version number was not present in the available intelligence data - administrators must reference the IBM advisory directly to identify the precise fix pack or interim fix to apply. As a compensating control pending patching, restrict local database query execution rights to only trusted, necessary accounts, and review statement heap sizing configurations (STMTHEAP parameter) - increasing the statement heap size may reduce exploitability of this specific path, though this has not been confirmed as a full mitigation by IBM. Additionally, enforce the principle of least privilege on database accounts to reduce the pool of users who could trigger this condition. Monitoring for abnormal query patterns or repeated service crashes can provide early warning of exploitation attempts.

Share

EUVD-2026-32488 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy