IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment.
"}],"value":"IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1284","description":"CWE-1284 Improper Validation of Specified Quantity in Input","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-27T12:48:42.947Z","orgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","shortName":"ibm"},"references":[{"tags":["vendor-advisory","patch"],"url":"https://www.ibm.com/support/pages/node/7273649"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The vulnerabilities can be remediated by first applying the necessary fixes to your DB2 V11.5 server. The fixes can be accessed from the following security bulletins:
Security Bulletin: Security Bulletin: IBM® Db2® is vulnerable to a denial of service with a specially crafted query when stmtheap is set to automatic (CVE-2025-36122)
Security Bulletin: Security Bulletin: IBM® Db2® is vulnerable to a denial of service when fetching from certain tables under specific configurations (CVE-2025-14688)
Security Bulletin: Security Bulletin: IBM® Db2® is affected by a vulnerability in netty-codec-http-4.1.127 (CVE-2025-67735)
Security Bulletin: Security Bulletin: IBM® Db2® is vulnerable to a denial of service with a specially crafted query involving multiple subqueries (CVE-2026-1577)
To use your updated DB2 V11.5 server with your IBM Cloud Application Performance Management product, apply the 8.1.4.0-IBM-APM-SERVER-IF0004 or later server patch to the system where the Cloud APM server is installed. Interim fixes for the Cloud APM server version 8.1.4 are available to download from IBM Fix Central at this link:
"}],"value":"The vulnerabilities can be remediated by first applying the necessary fixes to your DB2 V11.5 server. The fixes can be accessed from the following security bulletins:\n\n\n\nSecurity Bulletin: https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FIBM+Application+Performance+Management&fixids=8.1.4.0-IBM-APM-SERVER-IF0019&source=SAR&function=fixId&parent=IBM%20Performance%20Management%20family"}],"title":"There are multiple vulnerabilities in IBM DB2 bundled with IBM Application Performance Management products.","x_generator":{"engine":"ibm-cvegen"}}},"cveMetadata":{"assignerOrgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","assignerShortName":"ibm","cveId":"CVE-2026-3676","datePublished":"2026-05-27T12:48:42.947Z","dateReserved":"2026-03-06T21:17:59.734Z","dateUpdated":"2026-05-27T14:38:08.383Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-27 14:16:47","lastModifiedDate":"2026-06-02 19:41:27","problem_types":["CWE-1284","CWE-1284 CWE-1284 Improper Validation of Specified Quantity in Input"],"metrics":{"cvssMetricV31":[{"source":"psirt@us.ibm.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cloud_application_performance_managemen:8.1.4:*:*:*:advanced_private:*:*:*","matchCriteriaId":"43C3A789-AF8E-4A00-84DF-3BC5979A591A"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cloud_application_performance_managemen:8.1.4:*:*:*:base_private:*:*:*","matchCriteriaId":"6E074B2A-6B9D-4BFD-A254-C3855C01F121"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"3676","Ordinal":"1","Title":"There are multiple vulnerabilities in IBM DB2 bundled with IBM A","CVE":"CVE-2026-3676","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"3676","Ordinal":"1","NoteData":"IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment.","Type":"Description","Title":"There are multiple vulnerabilities in IBM DB2 bundled with IBM A"}]}}}