CVE-2025-13867
Improper Input Neutralization in IBM Db2 Causes DoS
Publication date: 2026-02-17
Last updated on: 2026-02-18
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | db2 | From 11.5.0 (inc) to 11.5.9 (inc) |
| ibm | db2 | From 11.5.0 (inc) to 11.5.9 (inc) |
| ibm | db2 | From 11.5.0 (inc) to 11.5.9 (inc) |
| ibm | db2 | From 12.1.0 (inc) to 12.1.3 (inc) |
| ibm | db2 | From 12.1.0 (inc) to 12.1.3 (inc) |
| ibm | db2 | From 12.1.0 (inc) to 12.1.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1284 | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-13867 is a denial of service (DoS) vulnerability in IBM Db2 for Linux, UNIX, and Windows. It occurs when multiple concurrent queries use specific spatial table functions, allowing an authenticated user to cause a DoS due to improper neutralization of special elements in data query logic.
This issue is classified under CWE-1284: Improper Validation of Specified Quantity in Input, affecting IBM Db2 Server versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 across various platforms.
How can this vulnerability impact me? :
An authenticated user could exploit this vulnerability to cause a denial of service (DoS) on the IBM Db2 server by triggering multiple concurrent queries with specific spatial table functions.
This could disrupt database availability and potentially impact confidentiality, as indicated by the CVSS score which shows a high confidentiality impact but no integrity or availability impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
IBM has not disclosed detailed replication steps or key Db2 functionality related to the vulnerability to prevent exploitation.
No specific detection commands or methods are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
Apply the special interim fix builds provided by IBM, which are available for the affected versions of IBM Db2 Server.
- For version 11.5.9, apply Special Build #66394 or later.
- For version 12.1.2, apply Special Build #72296 or later.
- For version 12.1.3, apply Special Build #74153 or later.
These fixes can be applied to any affected level within the specified releases.
No other workarounds or mitigations are provided, so applying the fix is the recommended immediate action.
Customers are also encouraged to subscribe to IBM notifications for future security bulletins.