Security patches: Root attacks on IBM Db2 possible

Attackers can attack computers with IBM Db2, gain root privileges in the worst case, and subsequently compromise systems. Security patches resolve this security problem and several others. So far, there are no reports that attackers are already exploiting the vulnerabilities.

Patches available

The database management system is vulnerable to a total of over 17 software flaws. Two vulnerabilities (CVE-2025-36384, CVE-2025-36184) are classified with the threat level “high.” In the first case, attackers with file system access can gain higher privileges. In the second case, this is even possible up to the root user. In such a position, it can be assumed that attackers will gain full control over systems.

In these cases, the security updates Special Build #66394 for IBM Db2 11.5.9, Special Build #71609 for 12.1.3 and Special Build for 12.1.2 provide a remedy. IBM developers point out that versions that are no longer in support are likely also threatened. These versions no longer receive security updates, so they remain vulnerable. Admins must upgrade to a still supported version.

Further Dangers

The remaining vulnerabilities are classified as “medium.” In these areas, attackers can, for example, use manipulated requests to trigger DoS conditions. Further information on the vulnerabilities and security updates can be found below this message in the linked warning messages.

Just recently, the developers closed a critical vulnerability in IBM Db2 Big SQL.

List sorted by threat level in descending order:

• IBM Db2 is vulnerable to privilege escalation due to the use of an unquoted search path element (CVE-2025-36384)
• IBM Db2 is vulnerable to Local Privilege Escalation and get root access to the system (CVE-2025-36184)
• IBM Db2 is vulnerable to privilege escalation under specific configuration of cataloged remote storage aliases (CVE-2025-36365)
• IBM Db2 is vulnerable to a denial of service with a specially crafted query that uses ALTER TABLE operations (CVE-2025-2668)
• IBM Db2 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query (CVE-2025-36442)
• IBM Db2 Federated server is vulnerable to a denial of service as the server may crash when using a specially crafted statement (CVE-2025-36423)
• IBM Db2 Federated server is vulnerable to a denial of service with a specially crafted query (CVE-2025-36424)
• IBM Db2 is vulnerable to a denial of service when given a specially crafted query (CVE-2025-36387)
• IBM Db2 could allow an authenticated user to cause a denial of service using a specially crafted SQL statement that includes XML (CVE-2025-36001)
• IBM Db2 is vulnerable to a denial of service when using certain functions in a query (CVE-2025-36366)
• IBM Db2 is vulnerable to a denial of service as the server may terminate under certain conditions (CVE-2025-36009)
• IBM Db2 is vulnerable to a denial of service as a trap may occur when selecting from certain types of tables (CVE-2025-36070)
• IBM Db2 is vulnerable to a denial of service due to improper allocation of resources (CVE-2025-36098)
• IBM Db2 is vulnerable to a denial of service when copying large tables containing XML data (CVE-2025-36123)
• IBM Db2 is vulnerable to a denial of service with a specially crafted query (CVE-2025-36353)
• IBM Db2 is vulnerable to a denial of service due to improper neutralization of special elements in data query logic (CVE-2025-36428)

(des)