CVE-2024-51473: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) versions 10.5.0.0 through 10.5.0.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.2 is vulnerable to a denial of service vulnerability identified as CVE-2024-51473. The vulnerability was discovered and disclosed on July 29, 2025, affecting the federated server component which may crash under certain conditions when processing specially crafted queries (IBM Advisory).

The vulnerability is classified as a Stack-based Buffer Overflow (CWE-121). It has received a CVSS v3.1 Base Score of 6.5 (Medium) from IBM with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, while the NVD assessment rates it at 7.5 (High) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability affects the federated server component and can be triggered by specially crafted queries (IBM Advisory, NVD).

When successfully exploited, this vulnerability can result in a denial of service condition where the Db2 server crashes. The impact is primarily on the availability of the system, with no direct impact on confidentiality or integrity of the data (IBM Advisory).

IBM has released special builds containing interim fixes for all affected versions. These builds are available based on the most recent mod pack level for each impacted release: V10.5 FP11, V11.1.4 FP7, V11.5.9, V12.1.1 and V12.1.2. As a workaround, users can define a federated wrapper with FENCED option, though this may have minor performance implications. Note that after December 31, 2025, versions 11.1 and 10.5 will not receive security fixes as they will reach End of Support (IBM Advisory).