CVE-2025-36001 identifies a vulnerability in IBM Db2 for Linux, UNIX, and Windows, specifically versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3, including Db2 Connect Server. The flaw stems from uncontrolled recursion triggered by specially crafted SQL statements containing XML data. When an authenticated user submits such a statement, the recursive processing can exhaust system resources, leading to a denial of service (DoS) condition that disrupts database availability. This vulnerability is classified under CWE-674, which relates to uncontrolled recursion causing resource exhaustion. The CVSS 3.1 base score is 6.5 (medium severity), with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating network attack vector, low attack complexity, required privileges, no user interaction, unchanged scope, no confidentiality or integrity impact, but high impact on availability. No public exploits are known at this time, but the vulnerability could be leveraged by insiders or attackers with valid credentials to disrupt critical database services. The lack of patches at the time of reporting necessitates proactive mitigation. The vulnerability affects core IBM Db2 database products widely used in enterprise environments for critical data management across multiple operating systems. The uncontrolled recursion likely occurs during XML parsing or processing within SQL statements, causing stack overflows or excessive CPU/memory consumption. This can result in service crashes or unresponsiveness, impacting business continuity and dependent applications.

For European organizations, the primary impact is on availability of critical database services running IBM Db2. Denial of service can disrupt business operations, especially in sectors relying heavily on real-time data processing such as finance, telecommunications, manufacturing, and public services. Organizations with multi-tenant environments or cloud-hosted Db2 instances may experience cascading effects impacting multiple customers or services. The requirement for authentication limits exploitation to insiders or compromised accounts, but this does not eliminate risk given the prevalence of credential theft and insider threats. Disruptions could lead to financial losses, regulatory non-compliance (e.g., GDPR mandates on service availability), and reputational damage. Recovery from DoS events may require database restarts or system reboots, causing downtime. The vulnerability also raises concerns for service providers and critical infrastructure operators in Europe who depend on IBM Db2 for operational continuity.

Organizations should immediately review and restrict access controls to IBM Db2 instances, ensuring only trusted and necessary users have authentication privileges. Monitoring and alerting should be enhanced to detect unusual SQL queries, especially those involving XML processing or recursive patterns. Implement query execution time limits and resource usage caps where possible to prevent runaway recursive calls. Until official patches are released by IBM, consider deploying Web Application Firewalls (WAFs) or database firewalls that can filter or block suspicious SQL payloads. Conduct thorough audits of user privileges and enforce strong authentication mechanisms, including multi-factor authentication, to reduce risk of credential compromise. Regularly back up databases and test recovery procedures to minimize downtime impact. Engage with IBM support for updates and apply patches promptly once available. Additionally, simulate attack scenarios in controlled environments to assess organizational exposure and response readiness.