CVE-2025-36123 is a resource exhaustion vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) affecting IBM Db2 for Linux, UNIX, and Windows, including DB2 Connect Server, specifically versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3. The flaw occurs during the operation of copying large tables that contain XML data, where the system improperly allocates resources without adequate limits or throttling mechanisms. This can lead to excessive consumption of system resources such as memory or CPU, ultimately causing a denial of service condition. The vulnerability requires local access but no privileges or user interaction, meaning any local user can trigger the issue. The impact is limited to availability, with no direct compromise of confidentiality or integrity. The CVSS v3.1 score is 6.2 (medium), reflecting the local attack vector and lack of privilege requirements but limited scope. No patches or known exploits are currently reported, but the vulnerability poses a risk to environments where local user access is possible and large XML data tables are manipulated. The underlying cause is insufficient resource management during XML data handling in copy operations, which could be exploited to degrade or disrupt database service.

For European organizations, the primary impact is a denial of service affecting database availability, which can disrupt business operations, especially in sectors relying heavily on IBM Db2 for critical data processing such as finance, manufacturing, and public services. The vulnerability could allow any local user, including potentially less privileged users or compromised accounts, to exhaust system resources, leading to service outages or degraded performance. This may result in operational downtime, loss of productivity, and potential financial losses. While confidentiality and integrity are not directly impacted, the availability disruption could indirectly affect compliance with service-level agreements and regulatory requirements, particularly in GDPR-regulated environments where data availability is critical. Organizations with multi-tenant or shared environments may face increased risk if local user isolation is weak. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially in environments with insider threats or inadequate access controls.

To mitigate CVE-2025-36123, European organizations should: 1) Monitor IBM security advisories closely and apply patches or updates as soon as they become available for affected Db2 versions. 2) Implement strict local user access controls and minimize the number of users with local access to database servers. 3) Employ resource usage monitoring and limits on database operations involving large XML data sets to detect and prevent excessive resource consumption. 4) Use database auditing to identify unusual copy operations or resource spikes. 5) Consider isolating database servers in hardened environments with restricted local access. 6) Evaluate upgrading to later Db2 versions not affected by this vulnerability. 7) Conduct regular security reviews and penetration testing focusing on resource exhaustion scenarios. 8) Educate administrators and users about the risks of executing large XML data copy operations without proper controls. These steps go beyond generic advice by focusing on operational controls, monitoring, and access restrictions tailored to the vulnerability's characteristics.