CVE-2025-36070 – IBM Db2 databases running vulnerable versions c... (How to Fix)

Q: What is the severity of CVE-2025-36070?

CVE-2025-36070 has a CVSS score of 6.5 (MEDIUM). IBM Db2 databases running vulnerable versions can experience denial of service when specific SELECT queries are executed against certain table types, causing a trap (crash). This affects Db2 11.5.0-11.5.9 and 12.1.0-12.1.3 on Linux, UNIX, and Windows systems, including Db2 Connect Server installations.

📋 TL;DR

IBM Db2 databases running vulnerable versions can experience denial of service when specific SELECT queries are executed against certain table types, causing a trap (crash). This affects Db2 11.5.0-11.5.9 and 12.1.0-12.1.3 on Linux, UNIX, and Windows systems, including Db2 Connect Server installations.

💻 Affected Systems

Products:

IBM Db2 for Linux, UNIX and Windows
IBM Db2 Connect Server

Versions: 11.5.0 through 11.5.9, 12.1.0 through 12.1.3

Operating Systems: Linux, UNIX, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All installations within affected version ranges are vulnerable regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious actor executes crafted SELECT query causing Db2 instance to crash, resulting in complete database unavailability until manual restart.

🟠

Likely Case

Accidental or malicious query triggers trap, causing service interruption requiring database restart and potential transaction loss.

🟢

If Mitigated

With proper access controls and query validation, risk reduces to accidental triggering by authorized users with legitimate queries.

🌐 Internet-Facing: MEDIUM - Requires database access credentials; direct internet exposure increases attack surface but authentication is still needed.

🏢 Internal Only: MEDIUM - Insider threats or compromised credentials could exploit; network segmentation reduces but doesn't eliminate risk.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires database credentials and knowledge of specific table types; no public exploit code available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply fix packs: 11.5.9.0 Fix Pack 1 or later for 11.5.x, 12.1.3.0 Fix Pack 1 or later for 12.1.x

Vendor Advisory: https://www.ibm.com/support/pages/node/7257624

Restart Required: Yes

Instructions:

1. Download appropriate fix pack from IBM Fix Central. 2. Stop all Db2 instances and applications. 3. Apply fix pack following IBM installation guide. 4. Restart Db2 instances and verify functionality.

🔧 Temporary Workarounds

Restrict Database Access

all

Limit database user permissions to only necessary tables and operations

REVOKE SELECT ON TABLE <table_name> FROM <user_or_group>
GRANT SELECT ON TABLE <safe_tables> TO <user_or_group>

Implement Query Monitoring

all

Monitor and alert on unusual SELECT queries against system tables

db2pd -db <database> -appl
db2 get snapshot for database on <database>

🧯 If You Can't Patch

Implement strict database user access controls and principle of least privilege
Deploy network segmentation and firewall rules to restrict database access to trusted sources only

🔍 How to Verify

Check if Vulnerable:

Check Db2 version: db2level command output showing affected versions (11.5.0-11.5.9 or 12.1.0-12.1.3)

Check Version:

db2level | grep 'Product name'

Verify Fix Applied:

Verify version after patching: db2level should show 11.5.9.0 Fix Pack 1 or later, or 12.1.3.0 Fix Pack 1 or later

📡 Detection & Monitoring

Log Indicators:

Db2 trap/crash events in db2diag.log
Unexpected database termination messages
Abnormal SELECT query patterns in audit logs

Network Indicators:

Sudden drop in database connections
Failed connection attempts followed by service unavailability

SIEM Query:

source="db2diag.log" AND ("trap" OR "crash" OR "abend")

📊 Metadata

CVE ID: CVE-2025-36070

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.02% exploit probability (2.9th percentile)

Published: January 30, 2026

Last Updated: February 5, 2026

🔗 References

https://www.ibm.com/support/pages/node/7257624 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-36070, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Db2 by Ibm

Db2 by Ibm

Db2 by Ibm

Db2 by Ibm

Db2 by Ibm

Db2 by Ibm

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Database Access

Implement Query Monitoring

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities