CVE-2025-36122
Received Received - Intake
Denial of Service in IBM Db2 via SQL Query

Publication date: 2026-04-30

Last updated on: 2026-05-01

Assigner: IBM Corporation

Description
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service using a specially crafted SQL query due to improper allocation of system resources.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2025-36122
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
ibm db2 From 11.5.0 (inc) to 11.5.9 (inc)
ibm db2 From 11.5.0 (inc) to 11.5.9 (inc)
ibm db2 From 11.5.0 (inc) to 11.5.9 (inc)
ibm db2 From 12.1.0 (inc) to 12.1.3 (inc)
ibm db2 From 12.1.0 (inc) to 12.1.3 (inc)
ibm db2 From 12.1.0 (inc) to 12.1.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 on Linux, UNIX, and Windows platforms, including DB2 Connect Server. It allows an authenticated user to cause a denial of service by using a specially crafted SQL query. The issue arises due to improper allocation of system resources when processing such queries.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition. An authenticated user could exploit this flaw to disrupt the availability of the IBM Db2 database service by causing it to improperly allocate system resources, potentially leading to service outages or degraded performance.

Compliance Impact

The vulnerability allows an authenticated user to cause a denial of service by exploiting improper allocation of system resources via a specially crafted SQL query.

Since the vulnerability impacts availability (denial of service) but does not affect confidentiality or integrity of data, its direct impact on compliance with standards like GDPR or HIPAAβ€”which primarily focus on protecting personal data confidentiality and integrityβ€”is limited.

However, denial of service could indirectly affect compliance if it disrupts access to critical systems or data required for regulatory obligations.

Detection Guidance

Detection of this vulnerability involves checking the configuration parameters related to memory allocation in IBM Db2. Specifically, you should verify if the stmtheap configuration parameter is set to AUTOMATIC(limit), which is vulnerable to exploitation.

You can use Db2 commands to check the current configuration settings. For example, run the following command to display the current value of stmtheap:

  • db2 get dbm cfg | grep stmtheap

Additionally, check the instance_memory parameter setting with:

  • db2 get dbm cfg | grep instance_memory

Monitoring for unusual denial of service symptoms or abnormal resource usage after running specially crafted SQL queries by authenticated users may also indicate exploitation attempts.

Mitigation Strategies

To mitigate this vulnerability, IBM recommends applying the interim fixes available via Fix Central.

In addition to applying the fixes, you should set the environment variable DB2_STRICT_INSTANCE_MEMORY=ON to ensure proper remediation.

As a workaround, you can set the dbm cfg instance_memory parameter to a fixed value instead of allowing automatic memory allocation.

These steps help prevent improper allocation of system resources that could be exploited by an authenticated user sending specially crafted SQL queries.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-36122. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart