PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-1718 IBM CVE debrief

IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 contain a denial-of-service vulnerability triggered by specially crafted queries when autonomous transactions are enabled. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H) indicates network attack vector, low attack complexity, low privileges required, no user interaction, and high availability impact with limited confidentiality impact. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). Published and modified on 2026-05-27, this CVE is currently undergoing analysis in the NVD and is not listed in CISA KEV. IBM has published a security bulletin with remediation guidance.

Vendor
IBM
Product
Db2
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Database administrators managing IBM Db2 deployments, security teams responsible for database infrastructure, and organizations running Db2 with autonomous transactions enabled for application functionality

Technical summary

A vulnerability in IBM Db2 allows authenticated attackers with low privileges to cause denial of service through specially crafted queries when autonomous transactions are enabled. The flaw relates to improper resource allocation (CWE-770), enabling attackers to exhaust database resources remotely. Affected versions span 11.5.0-11.5.9 and 12.1.0-12.1.4. Network-accessible Db2 instances with autonomous transactions enabled are at highest risk.

Defensive priority

HIGH

Recommended defensive actions

  • Review IBM security bulletin for available fixes and apply patches when released
  • Assess Db2 deployments for enabled autonomous transactions and evaluate necessity
  • Implement query monitoring and rate limiting for database connections
  • Restrict database network access to authorized hosts and applications
  • Monitor for anomalous query patterns that may indicate exploitation attempts

Evidence notes

CVE description confirms affected versions and attack conditions. CVSS vector and CWE-770 classification sourced from NVD metadata. IBM PSIRT reference confirms vendor acknowledgment. No KEV entry present.

Official resources

2026-05-27