CVE-2025-36387 is a vulnerability classified under CWE-770, which pertains to the allocation of resources without adequate limits or throttling. This flaw exists in IBM Db2 for Linux, UNIX, and Windows versions 11.5.0 through 11.5.9, including DB2 Connect Server components. The vulnerability allows an authenticated user to submit specially crafted SQL queries that cause the database server to allocate excessive resources, leading to denial of service (DoS) conditions. The root cause is the absence of effective resource management controls that limit the consumption of CPU, memory, or other critical resources during query execution. Because the attacker must be authenticated, exploitation requires valid credentials but does not require user interaction beyond query submission. The vulnerability impacts availability exclusively, with no direct compromise of data confidentiality or integrity. The CVSS v3.1 base score is 6.5, reflecting medium severity due to the ease of exploitation (network attack vector, low attack complexity) and the significant impact on availability. No public exploits have been reported yet, but the vulnerability poses a risk to environments where IBM Db2 is used for critical data processing. The lack of vendor patches at the time of reporting necessitates interim mitigations to prevent exploitation.

For European organizations, the primary impact of CVE-2025-36387 is the potential for denial of service attacks against critical database infrastructure. This can disrupt business operations, cause downtime in services reliant on IBM Db2 databases, and result in financial losses and reputational damage. Industries such as finance, telecommunications, manufacturing, and public sector entities that rely heavily on IBM Db2 for transactional and analytical workloads are particularly vulnerable. The disruption of database availability can affect customer-facing applications, internal business processes, and regulatory reporting. Since the vulnerability requires authentication, insider threats or compromised credentials increase risk. Additionally, the absence of throttling may allow attackers to degrade performance gradually or cause sudden outages, complicating incident response. European organizations with stringent uptime requirements and regulatory obligations around data availability must address this vulnerability promptly to maintain compliance and service continuity.

1. Monitor and restrict database user privileges to minimize the number of accounts with query execution rights, reducing the attack surface. 2. Implement resource governance features available in IBM Db2, such as workload management and query governor settings, to limit CPU and memory usage per query or user session. 3. Enforce strong authentication and credential management policies to prevent unauthorized access to database accounts. 4. Continuously monitor query performance and resource consumption to detect anomalous or resource-intensive queries early. 5. Apply vendor patches and updates promptly once released to address the vulnerability directly. 6. Consider network-level controls such as limiting access to the database server to trusted hosts and using firewalls or VPNs to reduce exposure. 7. Conduct regular security audits and penetration testing focused on database resource management and query execution paths. 8. Prepare incident response plans that include procedures for mitigating DoS conditions caused by resource exhaustion in database systems.