CVE-2026-6053

Vulnerability

IBM Db2 is vulnerable to a denial of service when a specially crafted query is run against range partitioned tables (CWE-770: Allocation of Resources Without Limits or Throttling) [1]. The affected versions are IBM Db2 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 on all platforms. Earlier releases (10.1, 9.7, etc.) may also be affected but are no longer supported [1].

Exploitation

An authenticated attacker with local or remote access to the database can send a specially crafted query that targets range partitioned tables. The specific query pattern is not disclosed by IBM, but the attack requires only the ability to run queries against the affected database instance [1]. The vulnerability triggers excessive resource allocation without proper limits or throttling.

Impact

Successful exploitation leads to a denial of service (availability impact) with no impact on confidentiality or integrity. The CVSS v3.1 base score is 5.5 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H [1]. The attack results in a high availability impact, potentially causing the database to become unresponsive or crash.

Mitigation

IBM has released special builds containing interim fixes for the affected releases: Special Build #81937 or later for V11.5.9, and Special Build #83501 or later for V12.1.4 [1]. These builds are available from IBM Fix Central via the links provided in the advisory. Customers on earlier versions should upgrade to the latest fix pack level before applying the special build. IBM does not disclose key functionality or replication steps for the vulnerability [1].