CVE-2025-36098 Overview
CVE-2025-36098 affects IBM Db2 for Linux, UNIX and Windows, including Db2 Connect Server. The vulnerability impacts versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3. An authenticated user can trigger a denial of service condition through improper allocation of resources, classified under [CWE-770]. The flaw is reachable over the network and requires only low privileges, making it accessible to any user with valid database credentials. Successful exploitation results in service availability impact without compromising data confidentiality or integrity.
Critical Impact
An authenticated remote attacker can exhaust Db2 server resources, disrupting database availability for all dependent applications and users.
Affected Products
- IBM Db2 for Linux, UNIX and Windows versions 11.5.0 through 11.5.9
- IBM Db2 for Linux, UNIX and Windows versions 12.1.0 through 12.1.3
- IBM Db2 Connect Server (bundled with affected Db2 versions)
Discovery Timeline
- 2026-01-30 - CVE-2025-36098 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2025-36098
Vulnerability Analysis
The vulnerability resides in how IBM Db2 allocates server-side resources when processing requests from authenticated sessions. The product fails to enforce sufficient limits on resource consumption, allowing a single authenticated user to drive the database engine into a denial of service state. Because the attack vector is network-accessible and requires no user interaction, any user holding even minimal database credentials can trigger the condition remotely.
The issue maps to [CWE-770]: Allocation of Resources Without Limits or Throttling. Db2 accepts and processes requests that consume memory, connection handles, threads, or other finite resources without imposing bounds appropriate to the requesting principal. Sustained exploitation degrades performance for legitimate workloads and can render the instance unresponsive.
Root Cause
The root cause is missing or insufficient throttling on resource allocation paths within the Db2 server. When an authenticated client issues requests that trigger expansive resource use, the server does not cap allocations per session, per user, or per request type. This permits resource exhaustion through ordinary protocol-level interactions rather than through any memory corruption or logic bypass.
Attack Vector
An attacker requires valid authentication credentials and network reachability to the Db2 listener. After establishing a session, the attacker issues crafted or repeated requests that force the server to allocate resources without release. No elevated privileges, no user interaction, and no local access are required. The impact is limited to availability — confidentiality and integrity remain intact.
No public proof-of-concept exploit is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the IBM Support Page for vendor-supplied technical details.
Detection Methods for CVE-2025-36098
Indicators of Compromise
- Sudden spikes in Db2 memory, thread, or connection counts not correlated with workload growth
- Repeated requests from a single authenticated user that precede instance slowdowns or db2diag.log resource warnings
- Db2 errors such as SQL1224N (agent terminated) or SQL1042C (unexpected system error) appearing in clusters
Detection Strategies
- Monitor Db2 administrative views such as MON_GET_CONNECTION and MON_GET_MEMORY_POOL for outlier resource consumption by individual sessions
- Correlate authentication events with subsequent resource utilization to identify low-privilege accounts producing disproportionate load
- Enable Db2 audit logging for EXECUTE and CONTEXT categories to trace request patterns from suspected sessions
Monitoring Recommendations
- Forward Db2 diagnostic logs and operating system performance metrics to a centralized SIEM for correlation
- Set alert thresholds on memory pool growth, agent pool saturation, and connection counts per authenticated user
- Track instance restarts and failover events that may indicate successful exhaustion attempts
How to Mitigate CVE-2025-36098
Immediate Actions Required
- Apply the fixes referenced in the IBM Support Page for CVE-2025-36098
- Inventory all Db2 instances running versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 and prioritize patching internet-adjacent or multi-tenant systems
- Audit database accounts and revoke unused credentials to reduce the pool of identities that could trigger the flaw
Patch Information
IBM has published remediation guidance for affected Db2 releases. Consult the IBM Support Page for the specific fix pack or special build that addresses CVE-2025-36098 on your platform and version branch.
Workarounds
- Restrict network access to the Db2 listener using firewall rules so only trusted application hosts can reach the service
- Enforce per-user resource limits through Db2 workload management (WLM) thresholds such as SQLROWSRETURNED, CPUTIME, and CONNECTIONIDLETIME
- Lower MAX_CONNECTIONS and configure connection concentrator settings to bound per-user session counts
# Example: apply WLM thresholds to limit per-connection resource use
db2 "CREATE THRESHOLD limit_cpu FOR CONNECTION ACTIVITIES \
ENFORCEMENT DATABASE \
WHEN CPUTIME > 300 SECONDS CHECKING EVERY 10 SECONDS \
STOP EXECUTION"
db2 "UPDATE DB CFG FOR <dbname> USING MAX_CONNECTIONS 200"
db2 "UPDATE DBM CFG USING MAX_CONNRETRIES 5"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
