CVE-2026-1718

Vulnerability

A denial of service vulnerability exists in IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4. The issue occurs when autonomous transactions are enabled, allowing a remote authenticated user to execute a specially crafted query that triggers excessive resource allocation, leading to a denial of service. This corresponds to CWE-770: Allocation of Resources Without Limits or Throttling. The vulnerability is present on Linux systems; Unix and Windows are not affected. Earlier unsupported releases may also be vulnerable [1].

Exploitation

An attacker requires network access to the Db2 server and valid low-privilege credentials (PR:L). With these, the attacker can submit a specially crafted query to a database where autonomous transactions are enabled. The exact sequence of steps is not publicly disclosed to prevent malicious use [1].

Impact

Successful exploitation results in a denial of service, affecting system availability. The CVSS vector indicates a high availability impact (A:H) with low confidentiality impact (C:L) and no integrity impact (I:N). The attack complexity is low, and user interaction is not required [1].

Mitigation

IBM has released special builds containing interim fixes for affected releases: V11.5.9 (Special Build #81937 or later) and V12.1.4 (Special Build #83501 or later). These builds can be downloaded from IBM Fix Central via the links provided in the advisory. Fixed mod pack versions are to be determined (TBD) for future release streams [1].