Cyber Resilience

CVE-2025-13108

Medium

Published: 17 February 2026

Published
17 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0003 10.7th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13108 is a medium-severity Sensitive Information in Resource Not Removed Before Reuse (CWE-226) vulnerability in Ibm Db2 Merge Backup. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 10.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SC-39 (Process Isolation).

Deeper analysis

CVE-2025-13108 affects IBM DB2 Merge Backup for Linux, UNIX, and Windows version 12.1.0.0. The vulnerability arises because a buffer does not properly clear resources, potentially allowing an attacker to access sensitive information stored in memory. It is classified under CWE-226 (Sensitive Information in Resource Not Removed Before Reuse) and has a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating medium severity with high confidentiality impact but no integrity or availability effects.

A local attacker with low privileges can exploit this issue with low complexity and no user interaction required. Successful exploitation enables the reading of sensitive data from memory that should have been cleared, potentially exposing confidential information such as credentials, keys, or other runtime data without altering system integrity or availability.

IBM's security advisory at https://www.ibm.com/support/pages/node/7260043 provides details on mitigation, including available patches for the affected DB2 Merge Backup component. Security practitioners should review the advisory for fix packs and apply them promptly to remediate the buffer clearing deficiency.

EU & UK References

Vulnerability details

IBM DB2 Merge Backup for Linux, UNIX and Windows 12.1.0.0 could allow an attacker to access sensitive information in memory due to the buffer not properly clearing resources.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Vulnerability enables local reading of residual sensitive data (e.g., credentials) from uncleared memory buffers.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-28766Same vendor: Ibm
CVE-2026-0977Same vendor: Ibm
CVE-2025-1722Same vendor: Ibm
CVE-2025-0162Same vendor: Ibm
CVE-2026-4788Same vendor: Ibm
CVE-2025-14923Same vendor: Ibm
CVE-2024-41771Same vendor: Ibm
CVE-2024-31896Same vendor: Ibm
CVE-2026-1567Same vendor: Ibm
CVE-2024-45652Same vendor: Ibm

Affected Assets

ibm
db2 merge backup
12.1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires that shared system resources such as memory buffers have sensitive information removed before reuse, exactly addressing CWE-226.

prevent

Mandates architectural memory-protection techniques that can enforce clearing or isolation of sensitive data in process memory.

prevent

Requires process isolation boundaries that reduce the ability of a local attacker to read another process's uncleared memory.

References