CVE-2025-36140 – This vulnerability in IBM watsonx.data allows a... (How to Fix)

Q: What is the severity of CVE-2025-36140?

CVE-2025-36140 has a CVSS score of 6.5 (MEDIUM). This vulnerability in IBM watsonx.data allows authenticated users to cause denial of service by exhausting resources in ingestion pods due to improper resource allocation limits. It affects IBM watsonx.data versions 2.2 through 2.2.1. Only authenticated users can exploit this vulnerability.

📋 TL;DR

This vulnerability in IBM watsonx.data allows authenticated users to cause denial of service by exhausting resources in ingestion pods due to improper resource allocation limits. It affects IBM watsonx.data versions 2.2 through 2.2.1. Only authenticated users can exploit this vulnerability.

💻 Affected Systems

Products:

IBM watsonx.data

Versions: 2.2 through 2.2.1

Operating Systems: Not OS-specific - affects watsonx.data application

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to the watsonx.data platform.

📦 What is this software?

Watsonx.data by Ibm

View all CVEs affecting Watsonx.data →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of watsonx.data ingestion functionality, potentially affecting data processing pipelines and business operations.

🟠

Likely Case

Degraded performance or temporary unavailability of ingestion pods, impacting data ingestion workflows.

🟢

If Mitigated

Minimal impact with proper resource limits and monitoring in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is technically simple once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply fix from IBM Security Bulletin

Vendor Advisory: https://www.ibm.com/support/pages/node/7253932

Restart Required: Yes

Instructions:

1. Review IBM Security Bulletin. 2. Apply the recommended fix or upgrade to patched version. 3. Restart affected watsonx.data services. 4. Verify the fix is applied.

🔧 Temporary Workarounds

Implement Resource Limits

linux

Configure Kubernetes resource limits for watsonx.data ingestion pods to prevent resource exhaustion.

kubectl set resources deployment/watsonx-data-ingestion --limits=cpu=2,memory=4Gi

Restrict User Permissions

all

Limit authenticated user permissions to prevent unauthorized access to ingestion pod management functions.

🧯 If You Can't Patch

Implement strict resource quotas and monitoring for watsonx.data ingestion pods
Enforce least privilege access controls and audit user activities

🔍 How to Verify

Check if Vulnerable:

Check IBM watsonx.data version: kubectl get deployment watsonx-data -o jsonpath='{.spec.template.spec.containers[0].image}'

Check Version:

kubectl get deployment watsonx-data -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -o '2\.[0-9]\.[0-9]'

Verify Fix Applied:

Verify version is updated and monitor ingestion pod resource usage for abnormal patterns

📡 Detection & Monitoring

Log Indicators:

Unusually high resource consumption by ingestion pods
Multiple failed ingestion attempts
Pod restart events

Network Indicators:

Increased API calls to ingestion endpoints
Abnormal traffic patterns to watsonx.data services

SIEM Query:

source="watsonx-data" AND (resource_usage>90% OR pod_restarts>5)

📊 Metadata

CVE ID: CVE-2025-36140

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.06% exploit probability (19.3th percentile)

Published: December 8, 2025

Last Updated: December 10, 2025

🔗 References

https://www.ibm.com/support/pages/node/7253932 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-36140, you might also want to check these: