CVE-2025-36366 is a vulnerability identified in IBM Db2 for Linux, UNIX, and Windows, specifically affecting versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3. The root cause is improper neutralization of special elements in data query logic, classified under CWE-943, which typically involves insufficient sanitization of input that can alter the intended logic of queries. This flaw allows a local user with some level of system privileges to craft malicious queries or input that can cause the database server to crash or become unresponsive, resulting in a denial of service (DoS). The vulnerability does not allow unauthorized data access or modification, but it impacts availability, potentially disrupting business operations dependent on the database. The CVSS v3.1 base score is 6.5, reflecting medium severity, with the vector indicating network attack vector, low attack complexity, requiring privileges, no user interaction, and affecting availability only. No public exploits or active exploitation have been reported to date. The vulnerability affects both standalone Db2 installations and Db2 Connect Server environments, which are widely used in enterprise settings for database management and connectivity. The lack of patches at the time of reporting necessitates proactive mitigation steps to reduce risk until official fixes are released.

For European organizations, the primary impact of CVE-2025-36366 is operational disruption due to denial of service on critical IBM Db2 database servers. Industries such as finance, manufacturing, telecommunications, and public sector entities that rely heavily on Db2 for transaction processing and data management could experience downtime, leading to potential financial losses and service interruptions. Although the vulnerability does not compromise data confidentiality or integrity, the availability impact can affect business continuity and service level agreements. Organizations with multi-tenant environments or shared database servers may see amplified effects if the vulnerability is exploited by a malicious insider or compromised local account. The requirement for local privileges limits remote exploitation but does not eliminate risk, especially in environments with multiple users or insufficient access controls. The absence of known exploits reduces immediate threat but does not preclude future attacks once exploit code becomes available.

1. Apply official IBM patches and updates promptly once they are released for the affected Db2 versions. 2. Restrict local user privileges on Db2 servers to the minimum necessary, enforcing the principle of least privilege to prevent unauthorized query execution. 3. Implement strict access controls and monitoring on systems hosting Db2 to detect and prevent suspicious local activities. 4. Use database activity monitoring tools to identify anomalous query patterns that may indicate exploitation attempts. 5. Consider isolating critical Db2 servers in secure network segments with limited user access. 6. Regularly audit user accounts and permissions on Db2 servers to remove unnecessary privileges. 7. Develop and test incident response plans for database availability issues to minimize downtime impact. 8. Educate system administrators and database users about the risks of executing untrusted queries or scripts locally.