CVE-2025-36442
Published: 30 January 2026
Summary
CVE-2025-36442 is a medium-severity Improper Neutralization of Special Elements in Data Query Logic (CWE-943) vulnerability in Ibm Db2. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 14.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-36442 is a denial-of-service vulnerability affecting IBM Db2 for Linux, UNIX, and Windows, including Db2 Connect Server, in versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3. The issue arises when the server processes a specially crafted query involving XML columns under certain conditions, potentially causing a crash. It carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) and is linked to CWE-943 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ("Injection")) with additional NVD-CWE-noinfo classification. The vulnerability was published on 2026-01-30.
An attacker requires low privileges (PR:L) and can exploit this remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). By submitting the crafted query, the attacker can crash the Db2 server, achieving high-impact denial of service (A:H) through availability disruption, with no effects on confidentiality or integrity and no change in scope (S:U).
IBM's security advisory at https://www.ibm.com/support/pages/node/7257698 provides details on the vulnerability, affected versions, and recommended mitigations, including available patches.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206567
Vulnerability details
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query with XML…
more
columns.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct mapping to application/system exploitation causing crash/DoS via crafted remote query input.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the specially crafted XML query input that triggers the Db2 server crash.
Requires prompt application of the vendor patches that eliminate the XML-column flaw in the listed Db2 versions.
Limits the availability impact when a crafted query reaches the database service.