CVE-2025-36010: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 for Linux versions 12.1.0, 12.1.1, and 12.1.2 contains a vulnerability that could allow an unauthenticated user to cause a denial of service due to executable segments that are waiting for each other to release a necessary lock. The vulnerability was discovered and disclosed on July 29, 2025, and is tracked as CVE-2025-36010 (IBM Advisory).

The vulnerability is classified as CWE-833 (Deadlock) and has received a CVSS v3.1 base score of 6.5 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) from IBM Corporation, while the NVD assessment rates it as 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The issue specifically affects the Linux platform versions, while Unix and Windows versions are not affected (NVD).

The vulnerability can result in a denial of service condition when executable segments enter a deadlock state while waiting for lock releases. This can affect the availability of the Db2 database service, potentially disrupting business operations that depend on database access (IBM Advisory).

For db2 audit-related issues, users can stop db2 audit by removing the policy at database level using 'db2 audit database remove policy' or at instance level using 'db2audit stop'. IBM has released special builds containing interim fixes for versions 12.1.1 and 12.1.2, available through Fix Central. The fix is identified under APAR DT433635 (IBM Advisory).