CVE-2025-36366 is a vulnerability identified in IBM Db2 for Linux, UNIX, and Windows, specifically affecting versions 11.5.0 and 12.1.0, including Db2 Connect Server. The issue arises from improper handling of exceptions within the JSON_Object scalar function. When a specially crafted query invokes this function, it can trigger an unhandled exception that leads to abnormal termination of the Db2 server process, effectively causing a denial of service (DoS). This vulnerability is categorized under CWE-943, which relates to Improper Control of Resource Identifiers, indicating that the function does not properly validate or handle input leading to resource mismanagement. The vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L) and requires privileges equivalent to a normal user (PR:L), but does not require any user interaction (UI:N). The scope is unchanged (S:U), and the impact is limited to availability (A:H), with no confidentiality or integrity impact. No known exploits have been reported in the wild, and no official patches have been released at the time of this report. The vulnerability could be leveraged by an attacker with legitimate access to the database to disrupt services by causing the server to crash, potentially impacting business continuity and operational stability. The absence of patches necessitates proactive mitigation strategies to reduce risk until a fix is available.

For European organizations, the primary impact of CVE-2025-36366 is the potential for denial of service on critical database infrastructure running IBM Db2. This can disrupt business operations, especially in sectors reliant on continuous database availability such as finance, healthcare, telecommunications, and government services. The vulnerability does not expose sensitive data or allow unauthorized data modification, but the loss of availability can lead to operational downtime, financial losses, and reputational damage. Organizations with multi-tenant environments or those providing database services to clients may face cascading effects if the Db2 server becomes unavailable. Additionally, recovery from abnormal termination may require manual intervention or system restarts, increasing downtime. The medium severity rating reflects the balance between the ease of exploitation and the limited impact scope, but the risk remains significant for environments where database uptime is critical.

1. Restrict database user privileges to the minimum necessary, especially limiting access to execute JSON_Object scalar function queries to trusted users only. 2. Monitor and audit database query logs to detect unusual or repeated invocations of the JSON_Object function that could indicate exploitation attempts. 3. Implement network-level access controls to restrict which hosts can connect to the Db2 server, reducing exposure to potential attackers. 4. Prepare incident response plans for rapid recovery from Db2 server crashes, including automated restart procedures and backup restoration. 5. Engage with IBM support channels to obtain patches or workarounds as soon as they become available and apply them promptly. 6. Consider deploying Web Application Firewalls (WAFs) or database activity monitoring tools that can detect and block malicious queries targeting this vulnerability. 7. Test database workloads in staging environments to identify any legitimate use of JSON_Object that may be impacted by mitigation measures, ensuring business continuity.