Cyber Resilience

CVE-2025-36070

MediumDDoS

Published: 30 January 2026

Published
30 January 2026
Modified
05 February 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0004 13.2th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-36070 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Ibm Db2. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 13.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-36070 is a denial-of-service vulnerability (CWE-770) in IBM Db2 for Linux, UNIX, and Windows, including Db2 Connect Server, affecting versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3. The issue occurs when a trap is triggered during SELECT operations on certain types of tables, with a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction. Exploitation triggers a trap that results in high-impact denial of service by disrupting database availability, without compromising confidentiality or integrity.

IBM provides details on mitigation, including available patches, in their security advisory at https://www.ibm.com/support/pages/node/7257624.

EU & UK References

Vulnerability details

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 is vulnerable to a denial of service as a trap may occur when selecting from certain types of tables.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

DoS via trap on SELECT directly matches application exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-36442Same product: Ibm Db2
CVE-2025-36247Same product: Ibm Db2
CVE-2025-36384Same product: Ibm Db2
CVE-2025-36365Same product: Ibm Db2
CVE-2025-36184Same product: Ibm Db2
CVE-2026-1376Same vendor: Ibm
CVE-2024-41742Same vendor: Ibm
CVE-2024-45662Same vendor: Ibm
CVE-2025-1403Same vendor: Ibm
CVE-2026-1718Same product: Ibm Db2

Affected Assets

ibm
db2
11.5.0 — 11.5.9 · 11.5.0 — 11.5.9 · 11.5.0 — 11.5.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the root cause by requiring timely application of the vendor patches IBM provides for the trap in SELECT processing.

prevent

Implements protections against resource-exhaustion and trap-induced denial of service that this CVE exploits via crafted table SELECTs.

prevent

Ensures graceful error handling for unexpected traps instead of allowing the database process to crash and cause full DoS.

References