Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to running out of memory when executing certain queries with MDC tables.
AnalysisAI
Memory exhaustion in IBM Db2 11.5.x and 12.1.x allows an authenticated remote attacker to crash the database engine by submitting certain queries targeting Multi-Dimensional Clustering (MDC) tables, resulting in a denial of service. The vulnerability carries a CVSS 6.5 score with network-accessible attack vector and low-privilege requirement, meaning any valid database user can trigger it. No active exploitation has been identified at time of analysis; SSVC rates exploitation status as none and technical impact as partial.
Technical ContextAI
CWE-400 (Uncontrolled Resource Consumption) describes the root cause: the Db2 query execution engine fails to bound memory allocation when processing certain query patterns against MDC (Multi-Dimensional Clustering) tables. MDC is a Db2-specific table organization feature that stores rows in extents clustered across multiple dimensions simultaneously, used to optimize multi-dimensional range queries in analytical workloads. The affected product lines span IBM Db2 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 as identified by EUVD-2026-32489 and confirmed by IBM PSIRT (psirt@us.ibm.com). The flaw resides in query processing rather than storage, suggesting that the MDC extent-scan or block-index traversal code path does not enforce an upper bound on intermediate result buffer growth.
RemediationAI
The primary remediation is to apply the fix documented in IBM's advisory at https://www.ibm.com/support/pages/node/7273557. No specific patched version number was included in the available intelligence data - consult the IBM advisory directly to identify the exact target upgrade version for your release line (11.5.x or 12.1.x). As a compensating control, database administrators can restrict EXECUTE or SELECT privileges on MDC-organized tables to only those roles that operationally require them, reducing the pool of accounts capable of triggering the condition. Monitoring Db2 process memory with alerting thresholds can provide early warning before a full out-of-memory event impacts availability. Note that restricting MDC table access may affect legitimate analytical query workloads that depend on those tables.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32489
GHSA-gpjv-6r8h-vp58