CVE-2025-13108
Published: 17 February 2026
Summary
CVE-2025-13108 is a medium-severity Sensitive Information in Resource Not Removed Before Reuse (CWE-226) vulnerability in Ibm Db2 Merge Backup. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 10.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SC-39 (Process Isolation).
Deeper analysis
CVE-2025-13108 affects IBM DB2 Merge Backup for Linux, UNIX, and Windows version 12.1.0.0. The vulnerability arises because a buffer does not properly clear resources, potentially allowing an attacker to access sensitive information stored in memory. It is classified under CWE-226 (Sensitive Information in Resource Not Removed Before Reuse) and has a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating medium severity with high confidentiality impact but no integrity or availability effects.
A local attacker with low privileges can exploit this issue with low complexity and no user interaction required. Successful exploitation enables the reading of sensitive data from memory that should have been cleared, potentially exposing confidential information such as credentials, keys, or other runtime data without altering system integrity or availability.
IBM's security advisory at https://www.ibm.com/support/pages/node/7260043 provides details on mitigation, including available patches for the affected DB2 Merge Backup component. Security practitioners should review the advisory for fix packs and apply them promptly to remediate the buffer clearing deficiency.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207713
Vulnerability details
IBM DB2 Merge Backup for Linux, UNIX and Windows 12.1.0.0 could allow an attacker to access sensitive information in memory due to the buffer not properly clearing resources.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables local reading of residual sensitive data (e.g., credentials) from uncleared memory buffers.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires that shared system resources such as memory buffers have sensitive information removed before reuse, exactly addressing CWE-226.
Mandates architectural memory-protection techniques that can enforce clearing or isolation of sensitive data in process memory.
Requires process isolation boundaries that reduce the ability of a local attacker to read another process's uncleared memory.