- CVE: CVE-2026-10109
- CVSS: 9.8 (Critical · CVSSv3)
- Product: IBM Db2
- Affected: 11.5.0, 12.1.0
- Impact: IBM® Db2® is vulnerable to remote code execution due to improper pre-auth DRDA handshake handling
- Status: No confirmed exploitation yet
- EPSS: 0.9% (30-day)
- Action: See vendor advisory
TL;DR
IBM patched three flaws in Db2 for Linux, UNIX, and Windows. The worst is an IBM Db2 RCE that needs no login. Tracked as CVE-2026-10109, it scores 9.8 on the CVSS scale.
Why this IBM Db2 RCE matters
Db2 powers core databases inside many enterprises. A pre-auth flaw lets a remote attacker run code without any credentials. That code runs in the server’s own context. As a result, a single exposed instance can fall quickly.
How the flaws work
The critical bug sits in the DRDA connection handshake. Db2 mishandles input before authentication. Therefore, a crafted handshake can inject code. IBM classifies this as CWE-94 code injection. The vendor withholds technical details to slow attackers. Two lesser bugs also received fixes. CVE-2025-36372 can leak data from monitoring tables to an authenticated user. CVE-2026-11906 lets an authenticated user crash a federated server through XMLTable queries.
Affected versions
The flaws hit Db2 11.5.0 through 11.5.9. They also affect 12.1.0 through 12.1.4. All platforms and Server editions are affected.
Exploitation status
No public proof-of-concept exists yet. Researchers report no in-the-wild abuse so far. IBM has not released replication steps for the flaw.
Patch and mitigation
Apply IBM’s special builds now. For the 11.5 line, install Special Build #84653 or later. For the 12.1 line, install Special Build #86230 or later. Both come from IBM Fix Central. Until you patch, restrict network access to the Db2 listener.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.