CVE-2025-36122
Denial of Service in IBM Db2 via SQL Query
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: IBM Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibm | db2 | From 11.5.0 (inc) to 11.5.9 (inc) |
| ibm | db2 | From 11.5.0 (inc) to 11.5.9 (inc) |
| ibm | db2 | From 11.5.0 (inc) to 11.5.9 (inc) |
| ibm | db2 | From 12.1.0 (inc) to 12.1.3 (inc) |
| ibm | db2 | From 12.1.0 (inc) to 12.1.3 (inc) |
| ibm | db2 | From 12.1.0 (inc) to 12.1.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking the configuration parameters related to memory allocation in IBM Db2. Specifically, you should verify if the stmtheap configuration parameter is set to AUTOMATIC(limit), which is vulnerable to exploitation.
You can use Db2 commands to check the current configuration settings. For example, run the following command to display the current value of stmtheap:
- db2 get dbm cfg | grep stmtheap
Additionally, check the instance_memory parameter setting with:
- db2 get dbm cfg | grep instance_memory
Monitoring for unusual denial of service symptoms or abnormal resource usage after running specially crafted SQL queries by authenticated users may also indicate exploitation attempts.
Can you explain this vulnerability to me?
This vulnerability affects IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 on Linux, UNIX, and Windows platforms, including DB2 Connect Server. It allows an authenticated user to cause a denial of service by using a specially crafted SQL query. The issue arises due to improper allocation of system resources when processing such queries.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS) condition. An authenticated user could exploit this flaw to disrupt the availability of the IBM Db2 database service by causing it to improperly allocate system resources, potentially leading to service outages or degraded performance.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated user to cause a denial of service by exploiting improper allocation of system resources via a specially crafted SQL query.
Since the vulnerability impacts availability (denial of service) but does not affect confidentiality or integrity of data, its direct impact on compliance with standards like GDPR or HIPAAβwhich primarily focus on protecting personal data confidentiality and integrityβis limited.
However, denial of service could indirectly affect compliance if it disrupts access to critical systems or data required for regulatory obligations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, IBM recommends applying the interim fixes available via Fix Central.
In addition to applying the fixes, you should set the environment variable DB2_STRICT_INSTANCE_MEMORY=ON to ensure proper remediation.
As a workaround, you can set the dbm cfg instance_memory parameter to a fixed value instead of allowing automatic memory allocation.
These steps help prevent improper allocation of system resources that could be exploited by an authenticated user sending specially crafted SQL queries.