The Glass House: Shattering IBM Db2 with a Single SELECT
Vulnerability ID: CVE-2025-36070
CVSS Score: 6.5
Published: 2026-01-30
IBM Db2, the monolithic database engine powering financial institutions and enterprises globally, contains a fragility in its query processing engine. A denial-of-service vulnerability (CVE-2025-36070) allows any authenticated user—even those with minimal privileges—to crash the entire database instance by executing a SELECT statement against specific table types. The issue stems from an unhandled resource allocation failure (CWE-770) that results in a 'trap' (engine crash), effectively allowing a junior analyst to pull the plug on the production environment.
TL;DR
Authenticated users with low privileges can crash IBM Db2 servers by querying specific table structures. The vulnerability triggers an internal 'trap' (process termination) due to unchecked resource allocation. Patches are available in version 12.1.3 and special builds for 11.5.
Technical Details
- CWE: CWE-770 (Resource Allocation)
- CVSS: 6.5 (Medium)
- Attack Vector: Network (Authenticated)
- Impact: Denial of Service (High Availability Loss)
- Exploit Status: No Public PoC
- Vendor APAR: DT440126
Affected Systems
- IBM Db2 11.5 (Server)
- IBM Db2 12.1 (Server)
- IBM Db2 Connect Server 11.5
- IBM Db2 Connect Server 12.1
-
IBM Db2: 11.5.0 - 11.5.9 (Fixed in:
Special Build #66394) -
IBM Db2: 12.1.0 - 12.1.2 (Fixed in:
12.1.3)
Mitigation Strategies
- Apply vendor patches immediately
- Restrict database access to trusted users only
- Monitor db2diag.log for trap signals
Remediation Steps:
- Identify current Db2 level using
db2levelcommand. - Download the appropriate Special Build or Fix Pack from IBM Fix Central.
- Stop all Db2 instances (
db2stop force). - Apply the fix using
installFixPackor the platform-specific installer. - Update instances (
db2iupdt) and restart.
References
Read the full report for CVE-2025-36070 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)