How is CVE-2026-10109 exploited?

Network reachability (required): The attacker must be able to reach the Db2 DRDA service port over the network; no prior foothold on the host is needed. Authentication (not-required): The vulnerability is triggered during the pre-authentication handshake, so no credentials or account of any privilege level are required. Victim interaction (not-required): Exploitation is fully attacker-driven; no action by a logged-in user or administrator is needed to trigger the flaw. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race wins, or memory-layout knowledge.

What is the impact of CVE-2026-10109?

Attacker executes arbitrary code as the Db2 service process, gaining a foothold on the database host. All data stored in the Db2 instance is readable, including tables, stored credentials, and application records. Attacker can modify or delete persisted database rows, corrupt indexes, or drop schemas entirely. The Db2 service process can be crashed or made unresponsive, taking down all dependent applications.

Back to search

CRITICALCVE-2026-10109Published 2026-06-30Modified 2026-06-30CNA ibm

CVE-2026-10109: IBM® Db2® is vulnerable to remote code execution due to improper pre-auth DRDA handshake handling

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to remote code execution due to improper pre-auth DRDA handshake handling.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A pre-authentication remote code execution vulnerability exists in IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4, caused by improper handling of the DRDA (Distributed Relational Database Architecture) connection handshake. The flaw is reachable over the network with no credentials required, meaning any host that can reach the Db2 service port can trigger it. Successful exploitation gives an attacker full code execution on the database server. No upstream fix has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment IBM ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle IBM Db2. Any image carrying an affected Db2 version (11.5.0-11.5.9 or 12.1.0-12.1.4) is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 9.8 CRITICAL using the published CVSS v3.1 vector and weights it against each environment's compliance policy, which may elevate urgency further for regulated workloads. Triage findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the IBM advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. In the interim, customers with auto-remediation enabled will receive compensating-control recommendations, including network-policy isolation rules scoped to the Db2 service port, to reduce exposure while the advisory remains open.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the Db2 DRDA service port over the network; no prior foothold on the host is needed.
AuthenticationNot required
The vulnerability is triggered during the pre-authentication handshake, so no credentials or account of any privilege level are required.
Victim interactionNot required
Exploitation is fully attacker-driven; no action by a logged-in user or administrator is needed to trigger the flaw.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race wins, or memory-layout knowledge.

Blast Radius

Attacker executes arbitrary code as the Db2 service process, gaining a foothold on the database host.
All data stored in the Db2 instance is readable, including tables, stored credentials, and application records.
Attacker can modify or delete persisted database rows, corrupt indexes, or drop schemas entirely.
The Db2 service process can be crashed or made unresponsive, taking down all dependent applications.

How HarborGuard Handles This

Available on HarborGuard: because no fix version has been published by IBM, the platform monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment an upstream fix appears. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression-test run and a PR opened against affected workloads, with a median time from patch publication to merged PR of around 90 minutes for critical-severity issues in environments with auto-remediation enabled. While the advisory remains open, HarborGuard surfaces compensating-control recommendations for each flagged image: tightening Kubernetes NetworkPolicy or firewall rules to restrict access to the Db2 DRDA port (default 50000/TCP) to known application hosts only, enabling egress filtering on the database pod, and flagging any public or internet-exposed Db2 endpoints for immediate review. Where compliance policy permits, HarborGuard can also gate image promotion in CI/CD pipelines so that no new workload carrying an affected Db2 version reaches production until the upstream patch is available.

See how HarborGuard automates this

Affected packages

IBM / Db2
≤ 11.5.9 · ≤ 12.1.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

ibm.com

Metrics

Get notified