CVE-2025-36006

Summary

IBM Db2 10.5.0 through 10.5.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial due to the improper release of resources after use.

Affected Software

VendorProductVersion RangeStatus
IBMDb210.5.0 <= 10.5.11affected
IBMDb211.1.0 <= 11.1.4.7affected
IBMDb211.5.0 <= 11.5.9affected
IBMDb212.1.0 <= 12.1.3affected

Weaknesses

  • CWE-404: CWE-404 Improper Resource Shutdown or Release

Workarounds

Workarounds and Mitigations For JCC applications, set queryCloseImplicit property to 2 for the connections. For, CLI and ODBC applications, set SQL_ATTR_EARLYCLOSE property to SQL_EARLYCLOSE_OFF for the statements. Manually recycle connections either by forcing the application handles or by making an application side change (a refresh of the connection pool). You can find the application handles that use most FCM buffers by running db2pd -fcm -member x  (look for the highest buffer consumer) and then force.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References