CVE-2025-36366 in DB2
Summary
by MITRE • 01/31/2026
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a user to cause a denial of service by executing a query that invokes the JSON_Object scalar function, which may trigger an unhandled exception leading to abnormal server termination.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/04/2026
IBM Db2 for Linux, UNIX and Windows contains a critical vulnerability in its JSON_Object scalar function implementation that can be exploited to cause a denial of service condition. This vulnerability affects the database server's handling of malformed or specially crafted JSON data structures when processed through the JSON_Object function. The flaw exists in the server-side query execution engine where the function fails to properly validate input parameters, leading to an unhandled exception that terminates the database server process. The vulnerability specifically impacts systems running Db2 Connect Server and the standard Db2 database server components across all supported operating systems including Linux, UNIX, and Windows platforms. Attackers can leverage this weakness by constructing malicious SQL queries that invoke the JSON_Object function with carefully crafted parameters designed to trigger the exception handler failure. The unhandled exception occurs during the query parsing and execution phase, causing the database server to crash and restart automatically, resulting in extended downtime for database services and potential data availability issues. This vulnerability directly relates to CWE-400, which addresses unchecked resource consumption, and CWE-691, which covers insufficient control of a resource through a public interface. From an operational security perspective, this vulnerability represents a significant risk to database availability and can be exploited by both authenticated and unauthenticated users depending on the system configuration. The impact extends beyond simple service disruption as database server restarts can lead to transaction rollbacks, connection timeouts, and potential data consistency issues. The vulnerability is particularly concerning in production environments where database availability is critical for business operations and where the server may be exposed to external network access. Organizations using IBM Db2 in mission-critical applications face potential service interruptions that can affect multiple dependent systems and applications relying on database connectivity. The attack surface is broad as the JSON_Object function is commonly used in applications that process JSON data, making this vulnerability accessible to attackers who can submit crafted queries through standard database interfaces. The vulnerability can be classified under ATT&CK technique T1499.004, which covers network denial of service, and T1566.001, which involves spearphishing via social media, as attackers may exploit this weakness through database access points. Mitigation strategies should include immediate application of IBM security patches, implementation of database query monitoring to detect anomalous JSON function usage, and restriction of database access permissions to reduce the attack surface. Additionally, organizations should consider implementing database firewalls or query filtering mechanisms to prevent execution of potentially malicious JSON_Object function calls and establish robust incident response procedures for handling database service interruptions. The vulnerability underscores the importance of proper input validation and exception handling in database server components, particularly when processing structured data formats like JSON that are increasingly common in modern database applications.