CVE-2025-36140 identifies a resource exhaustion vulnerability in IBM watsonx.data versions 2.2 through 2.2.1, specifically related to ingestion pods responsible for data intake. The vulnerability arises from CWE-770: Allocation of Resources Without Limits or Throttling, meaning that the software does not impose adequate constraints on resource usage during data ingestion. An authenticated user can exploit this by submitting data ingestion requests that cause the ingestion pods to consume excessive CPU, memory, or other system resources. This uncontrolled resource consumption can lead to denial of service conditions, where legitimate users and processes are starved of resources, causing service degradation or outages. The CVSS 3.1 score of 6.5 (medium severity) reflects that the attack vector is network-based, requires low attack complexity, and privileges (authenticated user), with no impact on confidentiality or integrity but high impact on availability. No user interaction is needed beyond authentication, and no known exploits are currently reported. The vulnerability affects IBM watsonx.data 2.2 and 2.2.1, which are data management and analytics platforms used in enterprise environments for large-scale data ingestion and processing. The lack of patch links suggests a fix may be pending or in development. This vulnerability highlights the importance of resource management controls in cloud-native and containerized data services to prevent denial of service via resource exhaustion.

For European organizations, the primary impact is availability disruption of IBM watsonx.data services, which could halt or degrade critical data ingestion and analytics workflows. This can affect decision-making, operational monitoring, and business intelligence processes relying on timely data. Organizations in sectors such as finance, manufacturing, telecommunications, and public services that utilize IBM watsonx.data for large-scale data analytics are at risk of operational downtime. The denial of service could also cascade to dependent systems and services, amplifying business impact. Since exploitation requires authentication, insider threats or compromised credentials increase risk. The absence of confidentiality or integrity impact reduces risk of data breaches but does not diminish operational risks. Given the growing reliance on AI and data analytics platforms in Europe, service interruptions could have regulatory and reputational consequences, especially under GDPR and other compliance frameworks.

European organizations should immediately audit their IBM watsonx.data deployments to identify affected versions (2.2 and 2.2.1). Until patches are available, implement strict resource quotas and limits on ingestion pods at the container orchestration level (e.g., Kubernetes resource limits) to prevent resource exhaustion. Enforce strong authentication and access controls to limit the number of users who can perform data ingestion. Monitor ingestion pod resource usage closely with alerts for abnormal spikes. Employ network segmentation and rate limiting to reduce the risk of abuse by authenticated users. Engage with IBM support to obtain patches or recommended configuration changes as soon as they are released. Additionally, conduct regular credential hygiene and insider threat monitoring to reduce risk from authorized users. Finally, test failover and recovery procedures to minimize downtime impact if exploitation occurs.