CVE-2025-36185: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 versions 12.1.0 through 12.1.2 for Linux, UNIX and Windows (includes Db2 Connect Server) contains a vulnerability that could allow a local user to cause a denial of service. The vulnerability (CVE-2025-36185) was disclosed on November 7, 2025, and is related to improper neutralization of special elements in data query logic (IBM Security).

The vulnerability is classified as CWE-943: Improper Neutralization of Special Elements in Data Query Logic. It has received a CVSS Base Score of 6.2 (Medium) with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The scoring indicates that the vulnerability requires local access, has low attack complexity, requires no privileges, and needs no user interaction. While it does not impact confidentiality or integrity, it can have a high impact on availability (IBM Security).

The vulnerability specifically affects the Unix version of IBM Db2 Server versions 12.1.0 through 12.1.2, while Linux and Windows versions are not affected. If exploited, the vulnerability could allow an attacker to cause a denial of service, potentially disrupting database operations (IBM Security).

IBM has released special builds containing interim fixes for affected versions. Customers running vulnerable versions of IBM Db2 V12.1 can download the special build #70120 or later for V12.1.2, which contains the fix (APAR DT440596). As a workaround, IBM recommends providing a complete 'create wrapper' statement with the 'options' clause (IBM Security).