CVE-2025-1992: 
IBM Db2 vulnerability analysis and mitigation

CVE-2025-1992 is a vulnerability discovered in IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.1. The vulnerability was disclosed on May 5, 2025, and is related to insufficient release of allocated memory after usage, which could allow an authenticated user to cause a denial of service under non-default configurations (IBM Security).

The vulnerability is classified as CWE-401 (Missing Release of Memory after Effective Lifetime) and has received a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H. The technical nature of the vulnerability involves memory management issues where allocated memory is not properly released after its usage (IBM Security, Wiz).

The vulnerability can result in a denial of service condition, affecting the availability of the Db2 database system. This impact is particularly significant under non-default configurations, where authenticated users could trigger the memory management issue (IBM Security).

IBM has released special builds containing interim fixes for affected versions. For V11.5.9, Special Build #55285 or later is available, and for V12.1.1, Special Build #54779 or later can be downloaded from Fix Central. These special builds can be applied to any affected level of the appropriate release to remediate the vulnerability. No workarounds are available (IBM Security).