CVE-2026-9762
IBM · Db2
IBM Db2 is susceptible to a code injection vulnerability that could allow an authenticated local user to execute unauthorized code.
Executive summary
A code injection vulnerability in IBM Db2 versions 11.5 and 12.1 enables authenticated local users to potentially execute arbitrary code on the database server.
Vulnerability
The vulnerability is identified as CWE-94, which involves the improper control of code generation. It requires the attacker to have local access and low privileges to execute the injection successfully.
Business impact
A successful code injection attack allows an authenticated local user to gain elevated control over the database environment. This could result in unauthorized data modification, exfiltration, or complete system takeover, justifying the high CVSS score of 7.8.
Remediation
Immediate Action: Download and apply the appropriate interim fix or special build (e.g., Special Build #87098 or later for V11.5.9) from IBM Fix Central.
Proactive Monitoring: Audit database user permissions and monitor for unauthorized execution of administrative or system-level commands.
Compensating Controls: Enforce the principle of least privilege for all database users and ensure local system access is strictly controlled to prevent unauthorized login attempts.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
While the exploit requires local access, the potential for code injection remains a significant security risk for database administrators. Administrators should apply the recommended interim fixes or special builds as soon as possible to mitigate this risk.