IBM DB2 DoS (7250479) (Unix)

🗓️ 26 Nov 2025 00:00:00Reported by TenableType

IBM database may be vulnerable to DoS from improper resource release (CVE-2025-36006) in listed versions.

Reporter	Title	Published	Views	Family All 17
IBM Security Bulletins	Security Bulletin: IBM Db2 used by IBM Security Verify Governance has multiple vulnerabilities	23 Feb 202612:30	–	ibm
IBM Security Bulletins	Security Bulletin: IBM® Db2® is vulnerable to a denial of service due to the improper release of resources after use (CVE-2025-36006)	9 Dec 202520:01	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM® Db2® affect IBM® Db2® Big SQL on IBM Cloud Pak for Data	23 Jan 202612:14	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities affect Data Virtualization on IBM Software Hub (December 2025)	16 Dec 202506:45	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities have been identified in IBM® Db2® shipped with IBM WebSphere Remote Server	21 Nov 202519:19	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities have been identified in IBM Db2 shipped with IBM Guardium Key Lifecycle Manager	10 Dec 202507:46	–	ibm
CNNVD	IBM Db2 安全漏洞	7 Nov 202500:00	–	cnnvd
CNVD	IBM Db2 Denial of Service Vulnerability (CNVD-2025-29176)	12 Nov 202500:00	–	cnvd
CVE	CVE-2025-36006	7 Nov 202519:04	–	cve
Cvelist	CVE-2025-36006 IBM Db2 denial of service	7 Nov 202519:04	–	cvelist

Source	Link
ibm	www.ibm.com/support/pages/node/7250479
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(276923);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/08");

  script_cve_id("CVE-2025-36006");
  script_xref(name:"IAVB", value:"2025-B-0187-S");

  script_name(english:"IBM DB2 DoS (7250479) (Unix)");

  script_set_attribute(attribute:"synopsis", value:
"The remote database server is affected by a denial of service vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, IBM Db2 on Unix may be affected by a vulnerability:

  - IBM Db2 10.5.0 through 10.5.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 
    12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to 
    cause a denial due to the improper release of resources after use. (CVE-2025-36006)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.ibm.com/support/pages/node/7250479");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate IBM DB2 Fix Pack or Special Build based on the most recent fix pack level for your branch.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-36006");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/11/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:db2");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Databases");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("db2_installed.nbin");
  script_require_keys("installed_sw/DB2 Server");
  script_exclude_keys("SMB/db2/Installed");

  exit(0);
}

include('vcf_extras_db2.inc');

# The remote host's OS is Windows, not Linux.
if (get_kb_item('SMB/db2/Installed'))
  audit(AUDIT_OS_NOT, 'Unix', 'Windows');

var app_info = vcf::ibm_db2::get_app_info();
# DB2 has an optional OpenSSH server that will run on
# windows.  We need to exit out if we picked up the windows
# installation that way.
if ('Windows' >< app_info['platform'])
  audit(AUDIT_HOST_NOT, 'a Unix based operating system');

if (app_info.version == 11.5.9.0 && app_info.special_build == '66394')
  audit(AUDIT_INST_VER_NOT_VULN, app_info.version);

var constraints = [
  {'equal':'10.5.0.11', 'fixed_build':'41606', 'fixed_display':'10.5.0.11 + Special Build 41606'},
  {'min_version':'10.5', 'max_version':'10.5.0.9', 'fixed_version':'10.5.0.11', 'fixed_display':'10.5.0.11 + Special Build 41606'},
  {'equal':'11.1.4.7', 'fixed_build':'41627', 'fixed_display':'11.1.4.7 + Special Build 41627'},
  {'min_version':'11.1', 'fixed_version':'11.1.4.7', 'fixed_display':'11.1.4.7 + Special Build 41627'},
  {'equal':'11.5.9.0', 'fixed_build':'69673', 'fixed_display':'11.5.9.0 + Special Build 66394 or Special Build 69673'},
  {'min_version':'11.5', 'fixed_version':'11.5.9.0', 'fixed_display':'11.5.9.0 + Special Build 66394 or Special Build 69673'},
  {'equal':'12.1.2.0', 'fixed_build':'70120', 'fixed_display':'12.1.2.0 + Special Build 70120'},
  {'min_version':'12.1', 'fixed_version':'12.1.2', 'fixed_display':'12.1.2.0 + Special Build 70120'},
];

vcf::ibm_db2::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);

08 Apr 2026 00:00Current

6.5Medium risk

Vulners AI Score6.5

CVSS 3.16.5

EPSS0.00043

SSVC