CVE-2025-36001 Overview
CVE-2025-36001 is a denial of service vulnerability affecting IBM Db2 for Linux, UNIX and Windows, including Db2 Connect Server. The vulnerability allows an authenticated user to cause a denial of service condition by executing a specially crafted SQL statement containing XML content that triggers uncontrolled recursion within the database engine.
This vulnerability is classified under CWE-674 (Uncontrolled Recursion), indicating that the affected XML parsing component fails to properly limit recursive operations, potentially leading to stack exhaustion and service disruption.
Critical Impact
Authenticated attackers can crash IBM Db2 database instances, causing service disruption for all connected applications and users relying on the database infrastructure.
Affected Products
- IBM Db2 for Linux versions 11.5.0 through 11.5.9
- IBM Db2 for UNIX versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3
- IBM Db2 for Windows versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3
- IBM Db2 Connect Server versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3
Discovery Timeline
- 2026-01-30 - CVE-2025-36001 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2025-36001
Vulnerability Analysis
The vulnerability resides in IBM Db2's XML processing functionality. When the database engine parses XML content embedded within SQL statements, it fails to implement adequate recursion depth limits. An authenticated user can craft malicious XML with deeply nested or self-referencing structures that exploit this weakness.
Upon processing such malicious input, the Db2 engine enters an uncontrolled recursive loop, consuming stack memory until the process crashes or becomes unresponsive. This results in a denial of service condition affecting database availability for all connected clients.
The attack requires network access and valid database credentials, but no special privileges beyond basic authenticated user access. The vulnerability impacts only availability—confidentiality and integrity of data remain unaffected.
Root Cause
The root cause is improper handling of recursive XML structures in IBM Db2's XML parsing subsystem. The parser lacks adequate safeguards to detect and terminate excessive recursion depth, allowing malicious input to exhaust system resources. This falls under CWE-674 (Uncontrolled Recursion), where recursive processing continues without proper bounds checking.
Attack Vector
The attack is executed over the network by an authenticated database user. The attacker submits a SQL statement containing XML data engineered with deeply nested elements or recursive entity references. When Db2 attempts to parse this XML content, the uncontrolled recursion consumes stack space and eventually causes the database service to crash.
The vulnerability mechanism involves crafting XML structures with excessive nesting depth or circular references that the parser attempts to resolve recursively. Without proper depth limits, each recursive call adds to the call stack until system limits are exceeded. Organizations running affected Db2 versions should consult the IBM Support Page for technical details and remediation guidance.
Detection Methods for CVE-2025-36001
Indicators of Compromise
- Unexpected Db2 process crashes or service restarts without apparent cause
- Database error logs showing stack overflow or memory exhaustion errors during XML processing
- Unusual SQL statements containing deeply nested XML structures in database audit logs
- Repeated connection failures from applications dependent on affected Db2 instances
Detection Strategies
- Monitor Db2 diagnostic logs for SQLCODE errors related to XML parsing failures or resource exhaustion
- Implement SQL query auditing to identify statements with abnormally complex XML content
- Configure database monitoring to alert on sudden service terminations or high CPU usage during query execution
- Review authentication logs for patterns of users submitting unusual XML-containing queries
Monitoring Recommendations
- Enable comprehensive Db2 audit logging to capture all SQL statements, particularly those involving XML functions
- Set up real-time alerting for Db2 service availability and automatic restart events
- Monitor system resources (stack usage, memory) for affected database processes
- Implement baseline analysis for typical XML query patterns to detect anomalous activity
How to Mitigate CVE-2025-36001
Immediate Actions Required
- Apply the security patch provided by IBM as documented in the vendor advisory
- Review database user permissions and restrict XML-related functionality where not required
- Implement input validation at the application layer to limit XML complexity before reaching Db2
- Consider temporarily disabling XML processing features if not critical to operations until patching is complete
Patch Information
IBM has released security updates addressing this vulnerability. Affected organizations should upgrade to patched versions of IBM Db2 as specified in the official security bulletin. Refer to the IBM Support Page for detailed patch information and download links.
Affected version ranges requiring updates:
- IBM Db2 11.5.0 through 11.5.9 — update to the latest 11.5.x maintenance release
- IBM Db2 12.1.0 through 12.1.3 — update to the latest 12.1.x maintenance release
Workarounds
- Limit database user privileges to prevent unauthorized users from executing XML-containing SQL statements
- Implement application-level controls to sanitize and validate XML input before database submission
- Use database connection pooling with resource limits to contain impact of potential denial of service
- Deploy network segmentation to restrict direct database access to trusted application servers only
# Example: Restrict XML privileges for non-essential users (adjust for your environment)
# Connect to Db2 as admin and revoke XML function execution
db2 "REVOKE EXECUTE ON FUNCTION XMLPARSE FROM PUBLIC"
db2 "REVOKE EXECUTE ON FUNCTION XMLQUERY FROM PUBLIC"
# Grant only to specific users/roles requiring XML functionality
db2 "GRANT EXECUTE ON FUNCTION XMLPARSE TO ROLE XML_USERS"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
