CVE-2025-36353 is a vulnerability identified in IBM Db2 for Linux, UNIX, and Windows, specifically affecting versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3, including Db2 Connect Server. The root cause is improper neutralization of special elements in the data query logic, classified under CWE-943, which relates to insufficient sanitization of input that can alter query execution. This flaw allows a local user—without requiring any privileges or authentication—to craft specially formed queries or inputs that cause the database server to enter an unstable state, resulting in denial of service (DoS). The CVSS v3.1 score is 6.2 (medium severity), reflecting that the attack vector is local (AV:L), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact is limited to availability (A:H), with no confidentiality or integrity loss. No public exploits or active exploitation have been reported, but the vulnerability poses a risk to environments where local user access is possible. The vulnerability could disrupt database availability, impacting applications and services dependent on Db2. Since the vulnerability is due to improper input handling in query logic, it highlights the need for robust input validation and sanitization within database engines. IBM has not yet published patches, so organizations should monitor for updates and apply them promptly once available.

For European organizations, the primary impact of CVE-2025-36353 is the potential for denial of service on critical database systems running IBM Db2. This could lead to downtime of business-critical applications, disruption of data processing, and operational delays. Sectors such as finance, manufacturing, telecommunications, and public services that rely heavily on Db2 for transaction processing and data management could experience significant operational impact. Although the vulnerability requires local access, insider threats or compromised internal accounts could exploit it to disrupt services. The lack of confidentiality or integrity impact limits data breach risks, but availability interruptions can still cause financial losses and reputational damage. Organizations with strict uptime requirements and SLAs may face contractual penalties if service disruptions occur. The absence of known exploits reduces immediate risk, but proactive mitigation is essential to prevent future exploitation.

1. Restrict local access to IBM Db2 servers strictly to trusted and authorized personnel only, minimizing the risk of local exploitation. 2. Implement robust internal access controls and monitoring to detect and prevent unauthorized local user activity on database servers. 3. Monitor IBM security advisories closely for the release of patches addressing CVE-2025-36353 and apply them promptly once available. 4. Employ host-based intrusion detection systems (HIDS) to identify anomalous query patterns or unusual database behavior indicative of exploitation attempts. 5. Conduct regular security audits and reviews of user privileges on database servers to ensure least privilege principles are enforced. 6. Consider implementing database query logging and alerting mechanisms to detect malformed or suspicious queries that could trigger the vulnerability. 7. In environments where patching is delayed, consider isolating Db2 servers from non-essential local users and services to reduce attack surface. 8. Educate internal teams about the risks of local exploitation and enforce strict operational security policies around database server access.