CVE-2025-33124 – IBM DB2 Merge Backup contains an incorrect buff... (How to Fix)

Q: What is the severity of CVE-2025-33124?

CVE-2025-33124 has a CVSS score of 6.5 (MEDIUM). IBM DB2 Merge Backup contains an incorrect buffer size calculation vulnerability that allows authenticated users to crash the program. This affects IBM DB2 Merge Backup 12.1.0.0 on Linux, UNIX, and Windows systems. The vulnerability requires authenticated access to exploit.

📋 TL;DR

IBM DB2 Merge Backup contains an incorrect buffer size calculation vulnerability that allows authenticated users to crash the program. This affects IBM DB2 Merge Backup 12.1.0.0 on Linux, UNIX, and Windows systems. The vulnerability requires authenticated access to exploit.

💻 Affected Systems

Products:

IBM DB2 Merge Backup

Versions: 12.1.0.0

Operating Systems: Linux, UNIX, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the merge backup component, not the core DB2 database engine.

📦 What is this software?

Db2 Merge Backup by Ibm

View all CVEs affecting Db2 Merge Backup →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Denial of service causing backup operations to fail, potentially disrupting database maintenance and recovery capabilities.

🟠

Likely Case

Program crash during backup operations requiring manual restart of the merge backup service.

🟢

If Mitigated

Minimal impact with proper access controls limiting authenticated user access to backup functions.

🌐 Internet-Facing: LOW - Requires authenticated access and specific backup functionality.

🏢 Internal Only: MEDIUM - Authenticated database administrators or backup operators could intentionally or accidentally trigger the crash.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated user access to trigger the buffer calculation issue.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply fix from IBM support document

Vendor Advisory: https://www.ibm.com/support/pages/node/7260043

Restart Required: Yes

Instructions:

1. Review IBM advisory 7260043. 2. Apply the recommended fix from IBM support. 3. Restart the DB2 Merge Backup service. 4. Verify the fix is applied.

🔧 Temporary Workarounds

Restrict backup access

all

Limit authenticated user access to only essential backup operators

Review and modify user permissions for DB2 backup functions

Monitor backup operations

all

Implement monitoring for backup process crashes

Set up alerts for DB2 backup service failures

🧯 If You Can't Patch

Implement strict access controls to limit who can execute merge backup operations
Monitor for backup service crashes and implement automated restart procedures

🔍 How to Verify

Check if Vulnerable:

Check if running IBM DB2 Merge Backup version 12.1.0.0

Check Version:

db2level (check for merge backup component version)

Verify Fix Applied:

Verify the fix is applied by checking with IBM support documentation and testing backup operations

📡 Detection & Monitoring

Log Indicators:

Unexpected termination of db2mergebackup process
Backup operation failures with buffer-related errors

Network Indicators:

Unusual backup service restarts
Failed backup completion alerts

SIEM Query:

source="db2" AND ("merge backup" OR "backup crash" OR "buffer error")

📊 Metadata

CVE ID: CVE-2025-33124

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-131

Published: February 17, 2026

Last Updated: February 26, 2026

🔗 References

https://www.ibm.com/support/pages/node/7260043 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-33124, you might also want to check these: