CVE-2025-36366 – IBM Db2 databases are vulnerable to denial of s... (How to Fix)

Q: What is the severity of CVE-2025-36366?

CVE-2025-36366 has a CVSS score of 6.5 (MEDIUM). IBM Db2 databases are vulnerable to denial of service attacks when users execute queries containing the JSON_Object scalar function, which can trigger an unhandled exception and crash the server. This affects Db2 for Linux, UNIX, Windows, and Db2 Connect Server installations. Any authenticated user with query execution privileges can potentially exploit this vulnerability.

📋 TL;DR

IBM Db2 databases are vulnerable to denial of service attacks when users execute queries containing the JSON_Object scalar function, which can trigger an unhandled exception and crash the server. This affects Db2 for Linux, UNIX, Windows, and Db2 Connect Server installations. Any authenticated user with query execution privileges can potentially exploit this vulnerability.

💻 Affected Systems

Products:

IBM Db2 for Linux, UNIX and Windows
IBM Db2 Connect Server

Versions: Multiple versions - see IBM advisory for specific affected versions

Operating Systems: Linux, UNIX, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All standard installations with JSON_Object function enabled are vulnerable. The function is typically available by default in affected versions.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database server crash requiring manual restart, causing extended service disruption and potential data corruption if transactions are interrupted.

🟠

Likely Case

Temporary denial of service affecting all database connections until server restart, impacting dependent applications and services.

🟢

If Mitigated

Minimal impact with proper access controls limiting who can execute arbitrary queries and monitoring to detect abuse.

🌐 Internet-Facing: MEDIUM - While exploitation requires authentication, internet-facing Db2 instances with exposed query interfaces could be targeted by attackers with stolen credentials.

🏢 Internal Only: MEDIUM - Insider threats or compromised internal accounts could exploit this to disrupt critical database services.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires only a valid database account with query execution privileges and knowledge of the vulnerable function.

Exploitation is straightforward once an attacker has database credentials. No special tools or advanced techniques required beyond executing the triggering query.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to IBM advisory for version-specific fixes

Vendor Advisory: https://www.ibm.com/support/pages/node/7257681

Restart Required: Yes

Instructions:

1. Review IBM advisory for your specific Db2 version. 2. Apply the recommended fix pack or interim fix. 3. Restart the Db2 instance to apply changes. 4. Test functionality after patching.

🔧 Temporary Workarounds

Restrict JSON_Object Function Access

all

Revoke EXECUTE privileges on JSON_Object function from non-administrative users

REVOKE EXECUTE ON FUNCTION JSON_Object FROM PUBLIC
REVOKE EXECUTE ON FUNCTION JSON_Object FROM <username>

Implement Query Monitoring

all

Monitor and alert on queries containing JSON_Object function calls

Configure Db2 audit policies to log JSON_Object usage
Set up real-time monitoring for suspicious query patterns

🧯 If You Can't Patch

Implement strict access controls to limit who can execute arbitrary queries
Deploy network segmentation and firewall rules to restrict database access to trusted sources only

🔍 How to Verify

Check if Vulnerable:

Check if your Db2 version is listed in the IBM advisory and test if JSON_Object function is accessible to non-admin users.

Check Version:

db2level (on Db2 command line) or SELECT SERVICE_LEVEL, BUILD_NUM FROM SYSIBMADM.ENV_INST_INFO

Verify Fix Applied:

After patching, attempt to reproduce the crash with the JSON_Object function and verify the server remains stable.

📡 Detection & Monitoring

Log Indicators:

Database crash logs
Abnormal termination events
Error messages related to JSON_Object function
High frequency of JSON_Object queries

Network Indicators:

Sudden drop in database connections
Application errors indicating database unavailability

SIEM Query:

source="db2_audit_logs" AND (function="JSON_Object" OR error="unhandled exception")

📊 Metadata

CVE ID: CVE-2025-36366

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-943

EPSS Score: 0.05% exploit probability (15.8th percentile)

Published: January 30, 2026

Last Updated: February 5, 2026

🔗 References

https://www.ibm.com/support/pages/node/7257681 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-36366, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Db2 by Ibm

Db2 by Ibm

Db2 by Ibm

Db2 by Ibm

Db2 by Ibm

Db2 by Ibm

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict JSON_Object Function Access

Implement Query Monitoring

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities