CVE-2026-6052

Vulnerability

IBM Db2 Server versions 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 are susceptible to a denial of service vulnerability when executing certain queries against multi-dimensional clustering (MDC) tables [1]. The issue causes the database process to run out of memory, resulting in a service disruption. Earlier unsupported releases (10.1, 9.7, etc.) may also be affected [1].

Exploitation

An attacker with authenticated access to the database can trigger the vulnerability by executing specially crafted queries on MDC tables [1]. No special network position beyond normal database client access is required. The exploit relies on the attacker's ability to issue SQL statements that lead to excessive memory consumption during query processing.

Impact

Successful exploitation results in a denial of service through memory exhaustion, impacting the availability of the database service [1]. Confidentiality and integrity are not directly affected. The CVSS 3.1 base score is 6.5 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H [1].

Mitigation

IBM has released interim fixes for this issue. For V11.5, a special build #81937 or later (based on V11.5.9) is available; for V12.1, a special build #83501 or later (based on V12.1.4) is available [1]. Customers can download these builds from IBM Fix Central using the links provided in the advisory [1]. The APAR identifier is DT465726 [1].