CVE-2025-1000 — Allocation of Resources Without Limits or Throttling in IBM DB2

CWE-770 — Allocation of Resources Without Limits or Throttling CWE-20 — Improper Input Validation CWE-1335 — Incorrect Bitwise Shift of Integer CWE-73 — External Control of File Name or Path CWE-22 — Path Traversal18 documents9 sources

Severity

6.5MEDIUMNVD

CNA5.3

EPSS

0.2%

top 63.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM DB2

Timeline

PublishedMay 5

Latest updateJan 21

Description

IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.1 could allow an authenticated user to cause a denial of service when connecting to a z/OS database due to improper handling of automatic client rerouting.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

▶NVDibm/db211.5 — 11.5.9+1

🔴Vulnerability Details

GHSA

SiYuan vulnerable to Arbitrary file Read / SSRF↗2026-01-21

▶

GHSA

qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion↗2025-12-30

▶

GHSA

SpiceDB WriteRelationships fails silently if payload is too big↗2025-11-13

▶

GHSA

GHSA-66j9-wx8r-qgqq: IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11↗2025-05-05

▶

CVEList

IBM Db2 denial of service↗2025-05-05

▶

📋Vendor Advisories

Red Hat

qs: qs: Denial of Service via improper input validation in array parsing↗2025-12-29

▶

Red Hat

kernel: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto↗2025-12-06

▶

Chrome

Stable Channel Update for Desktop: CVE-2025-12905↗2025-09-02

▶

Chrome

Stable Channel Update for Desktop: CVE-2025-12908↗2025-09-02

▶

Microsoft

Windows Security App Spoofing Vulnerability↗2025-06-10

▶