IBM Db2
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in IBM Db2.
By the Year
In 2026 there have been 21 vulnerabilities in IBM Db2 with an average score of 6.4 out of ten. Last year, in 2025 Db2 had 28 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Db2 in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.15.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 21 | 6.45 |
| 2025 | 28 | 6.30 |
| 2024 | 30 | 6.49 |
| 2023 | 37 | 7.24 |
| 2022 | 3 | 7.27 |
| 2021 | 2 | 6.10 |
| 2020 | 0 | 0.00 |
| 2019 | 3 | 7.15 |
It may take a day or so for new Db2 vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent IBM Db2 Security Vulnerabilities
IBM DB2 Merge Backup (12.1.0.0) Stack Buffer Overwrite Crash
CVE-2025-33130
6.5 - Medium
- February 17, 2026
IBM DB2 Merge Backup for Linux, UNIX and Windows 12.1.0.0 could allow an authenticated user to cause the program to crash due to a buffer being overwritten when it is allocated on the stack.
Classic Buffer Overflow
IBM DB2 Merge Backup 12.1.0.0 Buffer Over-read Leak (CVE-2025-13108)
CVE-2025-13108
5.5 - Medium
- February 17, 2026
IBM DB2 Merge Backup for Linux, UNIX and Windows 12.1.0.0 could allow an attacker to access sensitive information in memory due to the buffer not properly clearing resources.
Sensitive Information in Resource Not Removed Before Reuse
IBM Db2 Big SQL on CP4D 7.6-7.8 DoS via Resource Allocation Bypass
CVE-2024-39724
5.3 - Medium
- February 04, 2026
IBM Db2 Big SQL on Cloud Pak for Data versions 7.6 (on CP4D 4.8), 7.7 (on CP4D 5.0), and 7.8 (on CP4D 5.1) do not properly limit the allocation of system resources. An authenticated user with internal knowledge of the environment could exploit this weakness to cause a denial of service.
Allocation of Resources Without Limits or Throttling
IBM Db2 11.5.x LWUs DoS via crafted query crash
CVE-2025-2668
6.5 - Medium
- January 30, 2026
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 is vulnerable to a denial of service as the server may crash when an authenticated user creates a specially crafted query.
Stack Exhaustion
IBM DB2 11.5.x-12.1.x DoS via Auth XML Recursion
CVE-2025-36001
6.5 - Medium
- January 30, 2026
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service using a specially crafted SQL statement including XML that performs uncontrolled recursion.
Stack Exhaustion
IBM Db2 DOS via Global Variable Exhaustion (CVE202536009)
CVE-2025-36009
6.5 - Medium
- January 30, 2026
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to excessive use of a global variable.
Improper Validation of Specified Quantity in Input
IBM Db2 11.5/12.1 DoS via trap on SELECT tables
CVE-2025-36070
6.5 - Medium
- January 30, 2026
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 is vulnerable to a denial of service as a trap may occur when selecting from certain types of tables.
Allocation of Resources Without Limits or Throttling
IBM Db2 for LUW DoS via resource allocation (11.5.0-11.5.9, 12.1.0-12.1.3)
CVE-2025-36098
6.5 - Medium
- January 30, 2026
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service due to improper allocation of resources.
Allocation of Resources Without Limits or Throttling
IBM Db2 v11.5-12.1 DoS via XML Table Copy (local user)
CVE-2025-36123
6.2 - Medium
- January 30, 2026
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service when copying large table containing XML data due to improper allocation of system resources.
Allocation of Resources Without Limits or Throttling
IBM Db2 11.5.0-11.5.9 Instance Owner Priv Escal to Root
CVE-2025-36184
7.2 - High
- January 30, 2026
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 could allow an instance owner to execute malicious code that escalate their privileges to root due to execution of unnecessary privileges operated at a higher than minimum level.
Execution with Unnecessary Privileges
IBM Db2 11.5.x/12.1.x: Local DOS via Improper Query Logic Neutralization
CVE-2025-36353
6.2 - Medium
- January 30, 2026
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic.
Improper Neutralization of Special Elements in Data Query Logic
Auth Bypass in IBM Db2 11.5 & 12.1 via Remote Storage Aliases
CVE-2025-36365
6.8 - Medium
- January 30, 2026
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 under specific configuration of cataloged remote storage aliases could allow an authenticated user to execute unauthorized commands due to an authorization bypass vulnerability using a user-controlled key.
Insecure Direct Object Reference / IDOR
IBM Db2 JSON_Object function DOS via unhandled exception
CVE-2025-36366
6.5 - Medium
- January 30, 2026
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a user to cause a denial of service by executing a query that invokes the JSON_Object scalar function, which may trigger an unhandled exception leading to abnormal server termination.
Improper Neutralization of Special Elements in Data Query Logic
Priv Escalation via Unquoted Search Path in IBM Db2 for Windows 12.1.x
CVE-2025-36384
8.4 - High
- January 30, 2026
IBM Db2 for Windows 12.1.0 - 12.1.3 could allow a local user with filesystem access to escalate their privileges due to the use of an unquoted search path element.
Unquoted Search Path or Element
IBM Db2 11.5.0-11.5.9 Authenticated Denial of Service via Crafted Query
CVE-2025-36387
6.5 - Medium
- January 30, 2026
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 - 11.5.9 could allow an authenticated user to cause a denial of service when given specially crafted query.
Allocation of Resources Without Limits or Throttling
IBM Db2 DoS via ALTER TABLE Injection in Query
CVE-2025-36407
6.5 - Medium
- January 30, 2026
IBM® Db2® is vulnerable to a denial of service with a specially crafted query that uses ALTER TABLE operations.
Improper Validation of Specified Quantity in Input
IBM Db2 12.1.0-12.1.3 Local DoS via Improper Neutralization
CVE-2025-36423
6.5 - Medium
- January 30, 2026
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic.
Improper Validation of Specified Quantity in Input
IBM Db2 DoS via Improper Neutralization of Query Elements
CVE-2025-36424
6.5 - Medium
- January 30, 2026
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a user to cause a denial of service due to improper neutralization of special elements in data query logic.
Improper Validation of Specified Quantity in Input
Db2 DDoS via insufficient validation of special elements in query logic
CVE-2025-36427
6.5 - Medium
- January 30, 2026
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a user to cause a denial of service due to insufficient validation of special elements in data query logic.
Improper Validation of Specified Quantity in Input
IBM Db2 11.5-12.1 RPSCAN Authenticated DoS via Query Logic
CVE-2025-36428
5.3 - Medium
- January 30, 2026
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic when the RPSCAN feature is enabled.
Improper Validation of Specified Quantity in Input
IBM Db2 <=12.1.3 DoS via Crafted XML Query
CVE-2025-36442
6.5 - Medium
- January 30, 2026
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query with XML columns.
Improper Neutralization of Special Elements in Data Query Logic
IBM Db2 Int'l Center 1.1.0-1.1.2 Auth Bypass via Client-Side (CVE-2025-14687)
CVE-2025-14687
4.3 - Medium
- December 26, 2025
IBM Db2 Intelligence Center 1.1.0, 1.1.1, 1.1.2 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms.
Client-Side Enforcement of Server-Side Security
IBM Db2 Auth Denial via Resource Leak (10.5-12.1)
CVE-2025-36006
6.5 - Medium
- November 07, 2025
IBM Db2 10.5.0 through 10.5.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial due to the improper release of resources after use.
Improper Resource Shutdown or Release
IBM Db2 11.5.x-11.5.9 / 12.1.x-12.1.3 DoS via Improper Resource Allocation
CVE-2025-36008
6.5 - Medium
- November 07, 2025
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper allocation of resources.
Allocation of Resources Without Limits or Throttling
IBM Db2 clpplus Exposes Credentials on Linux/UNIX/Windows (11.1-12.1)
CVE-2025-36131
4.6 - Medium
- November 07, 2025
IBM Db2 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) clpplus command exposes user credentials to the terminal which could be obtained by a third party with physical access to the system.
Privacy violation
IBM Db2 11.5.0-11.5.9 & 12.1.0-12.1.3 Local DoS via Monitor Script
CVE-2025-36136
5.1 - Medium
- November 07, 2025
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow a local user to cause a denial of service due to the database monitor script incorrectly detecting that the instance is still starting under specific conditions.
Allocation of Resources Without Limits or Throttling
IBM Db2 12.1.0-12.1.2 Local User DDOS via Improper Query Logic
CVE-2025-36185
6.2 - Medium
- November 07, 2025
IBM Db2 12.1.0 through 12.1.2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic.
Improper Neutralization of Special Elements in Data Query Logic
CVE-2025-36186: IBM Db2 12.1.0-12.1.3 Local Priv Esc via Unnecessary Privilege Use
CVE-2025-36186
7.4 - High
- November 07, 2025
IBM Db2 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) under specific configurations could allow a local user to execute malicious code that escalate their privileges to root due to execution of unnecessary privileges operated at a higher than minimum level.
Execution with Unnecessary Privileges
IBM Db2 10.5-12.1.3 (Linux) Auth regain after lockout via password reuse
CVE-2025-33012
6.3 - Medium
- November 07, 2025
IBM Db2 10.5.0 through 10.5.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux could allow an authenticated user to regain access after account lockout due to password use after expiration date.
Use of a Key Past its Expiration Date
IBM Db2 DoS via crafted query on server before 11.1.5/11.5.10/12.1.4
CVE-2025-2534
5.3 - Medium
- November 07, 2025
IBM Db2 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.
Stack Exhaustion
IBM Db2 DoS via crafted query (10.512.1.3)
CVE-2024-47118
6.5 - Medium
- November 07, 2025
IBM Db2 10.5.0 through 10.5.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.
Stack Overflow
IBM DB2 HPU Crash via Bad Size Calc (auth) pre-6.5.0.0 IF1
CVE-2025-33132
6.5 - Medium
- October 27, 2025
IBM DB2 High Performance Unload 6.1.0.3, 5.1.0.1, 6.1.0.2, 6.5, 6.5.0.0 IF1, 6.1.0.1, 6.1, and 5.1 could allow an authenticated user to cause the program to crash due to the incorrect calculation of the size of the data that is being pointed to.
Use of sizeof() on a Pointer Type
IBM Db2 DoS from Crafted Query (v10.5.0.0 - v12.1.2)
CVE-2024-49828
7.5 - High
- July 29, 2025
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5.0.0 through 10.5.0.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.2 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.
Stack Overflow
IBM Db2 DoS 10.5.0.x-10.5.0.11, 11.1.0-11.1.4.7, 11.5.0-11.5.9, 12.1.0-12.1.2
CVE-2024-51473
7.5 - High
- July 29, 2025
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5.0.0 through 10.5.0.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.2 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.
Stack Overflow
IBM Db2 DoS via crafted query in 10.5-12.1
CVE-2024-52894
4.9 - Medium
- July 29, 2025
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5.0.0 through 10.5.0.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.2 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.
Stack Overflow
IBM Db2 11.5-12.1 DoS via Query Memory Leak
CVE-2025-36071
7.5 - High
- July 29, 2025
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.2 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query due to improper release of memory resources.
Missing Release of Resource after Effective Lifetime
IBM Db2 12.1.x stack buffer overflow RCE in db2fm
CVE-2025-33092
7.8 - High
- July 29, 2025
IBM Db2 for Linux 12.1.0, 12.1.1, and 12.1.2 is vulnerable to a stack-based buffer overflow in db2fm, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system.
Stack Overflow
IBM Db2 for Linux DoS via crafted query (12.1.0-12.1.2)
CVE-2025-33114
7.5 - High
- July 29, 2025
IBM Db2 for Linux 12.1.0, 12.1.1, and 12.1.2 is vulnerable to denial of service with a specially crafted query under certain non-default conditions.
Improper Neutralization of Special Elements in Data Query Logic
IBM Db2 for Linux 12.1.x DoS via Crafted Query
CVE-2025-2533
7.5 - High
- July 29, 2025
IBM Db2 for Linux 12.1.0, 12.1.1, and 12.1.2 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.
CVE-2025-36010 IBM Db2 Linux 12.1.x: Unauth DOS via lock contention
CVE-2025-36010
7.5 - High
- July 29, 2025
IBM Db2 for Linux 12.1.0, 12.1.1, and 12.1.2 could allow an unauthenticated user to cause a denial of service due to executable segments that are waiting for each other to release a necessary lock.
Deadlock
IBM Db2 11.5.0-11.5.9 & 12.1.0-12.1.1: DOS via crafted query
CVE-2025-2518
7.5 - High
- May 29, 2025
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.1 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.
Stack Exhaustion
IBM Db2 DoS via crafted query (pre-12.1.2)
CVE-2024-49350
7.5 - High
- May 29, 2025
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9 and 12.1.0 through 12.1.1 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.
Memory Corruption
IBM Db2 11.5.0-11.5.9 & 12.1.0-12.1.1 Q Replication CPU DoS
CVE-2025-3050
6.5 - Medium
- May 29, 2025
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.1 could allow an authenticated user to cause a denial of service when using Q replication due to the improper allocation of CPU resources.
Allocation of Resources Without Limits or Throttling
IBM Db2 for LUW 11.5.0-11.5.9 & 12.1.0-12.1.1: Auth DoS via Memory Leak
CVE-2025-0915
5.3 - Medium
- May 05, 2025
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.1 under specific configurations could allow an authenticated user to cause a denial of service due to insufficient release of allocated memory resources.
Allocation of Resources Without Limits or Throttling
IBM Db2 DDoS via Auto Client Rerouting (11.5.0-11.5.9, 12.1.0-12.1.1)
CVE-2025-1000
5.3 - Medium
- May 05, 2025
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.1 could allow an authenticated user to cause a denial of service when connecting to a z/OS database due to improper handling of automatic client rerouting.
Allocation of Resources Without Limits or Throttling
IBM Db2 v12.1.0-12.1.1 Authenticated DoS via Concurrent Shared Resource
CVE-2025-1493
5.3 - Medium
- May 05, 2025
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 12.1.0 through 12.1.1 could allow an authenticated user to cause a denial of service due to concurrent execution of shared resources.
Race Condition
IBM Db2 11.5-12.1 Authenticated Federation DoS via Insufficient Memory Release
CVE-2025-1992
5.3 - Medium
- May 05, 2025
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.1 could allow an authenticated user in federation environment, to cause a denial of service due to insufficient release of allocated memory after usage.
Memory Leak
IBM Db2 before 12.1.2: DOS via crafted query to crash server
CVE-2024-52903
5.3 - Medium
- May 01, 2025
IBM Db2 for Linux, UNIX and Windows 12.1.0 and 12.1.1 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.
Uncaught Exception
Information Disclosure in IBM Db2 11.5 via Log File (CVE-2024-40679)
CVE-2024-40679
5.5 - Medium
- January 08, 2025
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file under specific conditions.
Insertion of Sensitive Information into Log File
DB2 10.5, 11.1, 11.5 DoS via crafted query (IBM)
CVE-2023-30443
6.5 - Medium
- December 19, 2024
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to denial of service with a specially crafted query.
Allocation of Resources Without Limits or Throttling
