CVE-2026-11906
Received Received - Intake

Denial of Service in IBM Db2 due to XMLTable Query Logic

Vulnerability report for CVE-2026-11906, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: IBM Corporation

Description

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of XMLTable-derived columns.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
ibm db2 From 11.5.0 (inc) to 11.5.9 (inc)
ibm db2 From 12.1.0 (inc) to 12.1.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-11906 is a vulnerability in IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 for Linux, UNIX, and Windows, including Db2 Connect Server. It arises from improper neutralization of special elements in the data query logic of XMLTable-derived columns.

This flaw allows an authenticated user to exploit the system by crafting specific queries that cause a denial of service (DoS), potentially making the system unresponsive.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition. An authenticated user can exploit the flaw to cause the IBM Db2 server to become unresponsive.

This can disrupt normal database operations, potentially leading to downtime and affecting availability of services relying on the database.

Detection Guidance

IBM does not disclose detailed replication steps or specific detection commands for this vulnerability to prevent potential exploitation by malicious actors.

Therefore, there are no publicly available commands or direct detection methods provided to identify this vulnerability on your network or system.

Mitigation Strategies

To mitigate this vulnerability, you should apply the special builds with interim fixes provided by IBM for the affected Db2 versions.

  • Identify if you are running IBM Db2 versions 11.5.0 through 11.5.9 or 12.1.0 through 12.1.4 on Linux, UNIX, or Windows.
  • Download and apply the interim fix packages available through IBM Fix Central.

No workarounds are currently recommended, so applying the official fixes is the primary mitigation step.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11906. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart