CVE-2025-36186: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 versions 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) was identified with a privilege escalation vulnerability tracked as CVE-2025-36186. The vulnerability was disclosed on November 7, 2025, and affects specifically the Linux Server edition, while Unix and Windows versions are not impacted. Under specific configurations, the vulnerability allows local users to execute malicious code that can escalate their privileges to root level due to unnecessary privileges being operated at a higher than minimum level (IBM Security).

The vulnerability has been assigned CWE-250 (Execution with Unnecessary Privileges) classification. IBM has assessed the severity with a CVSS Base score of 7.4 (High) with the following vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability requires local access, has high attack complexity, needs no privileges, requires no user interaction, has an unchanged scope, and can result in high impacts to confidentiality, integrity, and availability (IBM Security).

If exploited, this vulnerability allows a local attacker to execute malicious code with root privileges, potentially leading to complete system compromise. The high CVSS impact scores for confidentiality, integrity, and availability (all rated as High) indicate that successful exploitation could result in significant system-wide impact (IBM Security).

IBM has released special builds containing interim fixes for affected versions. For V12.1.2 and V12.1.3, the fix is available in Special Build #70120 or later, which can be applied to any affected level to remediate this vulnerability. The fix is tracked under APAR DT445866. No additional workarounds or mitigations have been provided by IBM (IBM Security).