CVE-2025-36006 is a vulnerability classified under CWE-404 (Improper Resource Shutdown or Release) affecting IBM Db2 database software versions 10.5.0 through 10.5.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 on Linux, UNIX, and Windows platforms, including Db2 Connect Server. The issue stems from the improper release of system or application resources after their use, which can lead to resource exhaustion and denial of service (DoS). An authenticated attacker with network access can exploit this vulnerability without requiring user interaction, making it relatively straightforward to execute in environments where user credentials are compromised or available. The vulnerability does not impact confidentiality or integrity but severely affects availability by potentially causing the Db2 service to become unresponsive or crash due to resource depletion. The CVSS v3.1 base score is 6.5, reflecting medium severity with network attack vector, low attack complexity, and privileges required. No public exploits are known at this time, but the vulnerability's nature makes it a concern for organizations relying heavily on IBM Db2 for critical data operations. The lack of available patches at the time of reporting necessitates proactive mitigation steps.

For European organizations, the primary impact is on the availability of critical database services that IBM Db2 supports. Disruption of Db2 services can halt business operations, especially in sectors like finance, telecommunications, manufacturing, and government services where Db2 is commonly deployed. Denial of service can lead to operational downtime, loss of productivity, and potential financial losses. Since the vulnerability requires authentication, the risk is elevated in environments with weak access controls or compromised credentials. Additionally, prolonged resource exhaustion could affect other applications on shared infrastructure, amplifying the impact. Organizations with regulatory obligations for service availability and continuity, such as those under GDPR and NIS Directive, may face compliance risks if disruptions occur. The absence of known exploits reduces immediate risk but does not eliminate the threat, particularly as attackers may develop exploits once patches are released.

1. Monitor IBM’s security advisories closely and apply official patches or updates as soon as they become available to address CVE-2025-36006. 2. Restrict database access strictly to necessary authenticated users and enforce strong authentication mechanisms, including multi-factor authentication where possible. 3. Implement resource usage monitoring on Db2 servers to detect abnormal resource consumption patterns indicative of exploitation attempts. 4. Configure database and operating system resource limits (e.g., memory, file handles, connections) to prevent resource exhaustion from a single user or process. 5. Conduct regular audits of user privileges to minimize the number of users with sufficient rights to exploit this vulnerability. 6. Employ network segmentation and firewall rules to limit access to Db2 services only to trusted hosts and networks. 7. Prepare incident response plans that include steps to identify and mitigate denial of service conditions related to resource exhaustion. 8. Consider deploying application-layer protections or database activity monitoring tools that can alert on unusual behavior related to resource usage.