{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3676", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2026-03-06T21:17:59.734Z", "datePublished": "2026-05-27T12:48:42.947Z", "dateUpdated": "2026-05-27T14:38:08.383Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-05-27T12:48:42.947Z"}, "title": "There are multiple vulnerabilities in IBM DB2 bundled with IBM Application Performance Management products.", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-1284", "description": "CWE-1284 Improper Validation of Specified Quantity in Input", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "Cloud APM, Base Private", "versions": [{"status": "affected", "version": "8.1.4", "lessThanOrEqual": ") Interim Fix 021", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:cloud_apm_base_private:8.1.4:*:*:*:*:*:*:*"]}, {"vendor": "IBM", "product": "Cloud APM, Advanced Private", "versions": [{"status": "affected", "version": "8.1.4"}], "cpes": ["cpe:2.3:a:ibm:cloud_apm_advanced_private:8.1.4:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7273649", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}}], "solutions": [{"lang": "en", "value": "The vulnerabilities can be remediated by first applying the necessary fixes to your DB2 V11.5 server. The fixes can be accessed from the following security bulletins:\n\n\n\nSecurity Bulletin: https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FIBM+Application+Performance+Management&fixids=8.1.4.0-IBM-APM-SERVER-IF0019&source=SAR&function=fixId&parent=IBM%20Performance%20Management%20family", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>The vulnerabilities can be remediated by first applying the necessary fixes to your DB2 V11.5 server. The fixes can be accessed from the following security bulletins:</p><p>Security Bulletin: <a href=\"https://www.ibm.com/support/pages/security-bulletin-ibm%C2%AE-db2%C2%AE-vulnerable-denial-service-specially-crafted-query-when-stmtheap-set-automatic-cve-2025-36122\" rel=\"nofollow\">Security Bulletin: IBM\u00ae Db2\u00ae is vulnerable to a denial of service with a specially crafted query when stmtheap is set to automatic (CVE-2025-36122)</a></p><p>Security Bulletin: <a href=\"https://www.ibm.com/support/pages/security-bulletin-ibm%C2%AE-db2%C2%AE-vulnerable-denial-service-when-fetching-certain-tables-under-specific-configurations-cve-2025-14688\" rel=\"nofollow\">Security Bulletin: IBM\u00ae Db2\u00ae is vulnerable to a denial of service when fetching from certain tables under specific configurations (CVE-2025-14688)</a></p><p>Security Bulletin:&nbsp;<a href=\"https://www.ibm.com/support/pages/security-bulletin-ibm%C2%AE-db2%C2%AE-affected-vulnerability-netty-codec-http-41127-cve-2025-67735\" rel=\"nofollow\">Security Bulletin: IBM\u00ae Db2\u00ae is affected by a vulnerability in netty-codec-http-4.1.127 (CVE-2025-67735)</a></p><p>Security Bulletin: <a href=\"https://www.ibm.com/support/pages/node/7257695\" rel=\"nofollow\">https://www.ibm.com/support/pages/security-bulletin-ibm%C2%AE-db2%C2%AE-vulnerable-trap-or-return-sqlcode-901-when-compiling-specially-crafted-query-defined-index-cve-2026-1352</a></p><p>Security Bulletin: <a href=\"https://www.ibm.com/support/pages/security-bulletin-ibm%C2%AE-db2%C2%AE-vulnerable-denial-service-specially-crafted-query-involving-multiple-subqueries-cve-2026-1577\" rel=\"nofollow\">Security Bulletin: IBM\u00ae Db2\u00ae is vulnerable to a denial of service with a specially crafted query involving multiple subqueries (CVE-2026-1577)</a></p><p>To use your updated DB2 V11.5 server with your IBM Cloud Application Performance Management product, apply the 8.1.4.0-IBM-APM-SERVER-IF0004 or later server patch to the system where the Cloud APM server is installed. Interim fixes for the Cloud APM server version 8.1.4 are available to download from IBM Fix Central at this link:</p><p><a href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FIBM+Application+Performance+Management&amp;fixids=8.1.4.0-IBM-APM-SERVER-IF0019&amp;source=SAR&amp;function=fixId&amp;parent=IBM%20Performance%20Management%20family\" rel=\"nofollow\">https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FIBM+Application+Performance+Management&amp;fixids=8.1.4.0-IBM-APM-SERVER-IF0019&amp;source=SAR&amp;function=fixId&amp;parent=IBM%20Performance%20Management%20family</a></p>"}]}], "x_generator": {"engine": "ibm-cvegen"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-27T14:34:24.394252Z", "id": "CVE-2026-3676", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-27T14:38:08.383Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3676", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2026-03-06T21:17:59.734Z", "datePublished": "2026-05-27T12:48:42.947Z", "dateUpdated": "2026-05-27T14:38:08.383Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-05-27T12:48:42.947Z"}, "title": "There are multiple vulnerabilities in IBM DB2 bundled with IBM Application Performance Management products.", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-1284", "description": "CWE-1284 Improper Validation of Specified Quantity in Input", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "Cloud APM, Base Private", "versions": [{"status": "affected", "version": "8.1.4", "lessThanOrEqual": ") Interim Fix 021", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:cloud_apm_base_private:8.1.4:*:*:*:*:*:*:*"]}, {"vendor": "IBM", "product": "Cloud APM, Advanced Private", "versions": [{"status": "affected", "version": "8.1.4"}], "cpes": ["cpe:2.3:a:ibm:cloud_apm_advanced_private:8.1.4:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7273649", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}}], "solutions": [{"lang": "en", "value": "The vulnerabilities can be remediated by first applying the necessary fixes to your DB2 V11.5 server. The fixes can be accessed from the following security bulletins:\n\n\n\nSecurity Bulletin: https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FIBM+Application+Performance+Management&fixids=8.1.4.0-IBM-APM-SERVER-IF0019&source=SAR&function=fixId&parent=IBM%20Performance%20Management%20family", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>The vulnerabilities can be remediated by first applying the necessary fixes to your DB2 V11.5 server. The fixes can be accessed from the following security bulletins:</p><p>Security Bulletin: <a href=\"https://www.ibm.com/support/pages/security-bulletin-ibm%C2%AE-db2%C2%AE-vulnerable-denial-service-specially-crafted-query-when-stmtheap-set-automatic-cve-2025-36122\" rel=\"nofollow\">Security Bulletin: IBM\u00ae Db2\u00ae is vulnerable to a denial of service with a specially crafted query when stmtheap is set to automatic (CVE-2025-36122)</a></p><p>Security Bulletin: <a href=\"https://www.ibm.com/support/pages/security-bulletin-ibm%C2%AE-db2%C2%AE-vulnerable-denial-service-when-fetching-certain-tables-under-specific-configurations-cve-2025-14688\" rel=\"nofollow\">Security Bulletin: IBM\u00ae Db2\u00ae is vulnerable to a denial of service when fetching from certain tables under specific configurations (CVE-2025-14688)</a></p><p>Security Bulletin:&nbsp;<a href=\"https://www.ibm.com/support/pages/security-bulletin-ibm%C2%AE-db2%C2%AE-affected-vulnerability-netty-codec-http-41127-cve-2025-67735\" rel=\"nofollow\">Security Bulletin: IBM\u00ae Db2\u00ae is affected by a vulnerability in netty-codec-http-4.1.127 (CVE-2025-67735)</a></p><p>Security Bulletin: <a href=\"https://www.ibm.com/support/pages/node/7257695\" rel=\"nofollow\">https://www.ibm.com/support/pages/security-bulletin-ibm%C2%AE-db2%C2%AE-vulnerable-trap-or-return-sqlcode-901-when-compiling-specially-crafted-query-defined-index-cve-2026-1352</a></p><p>Security Bulletin: <a href=\"https://www.ibm.com/support/pages/security-bulletin-ibm%C2%AE-db2%C2%AE-vulnerable-denial-service-specially-crafted-query-involving-multiple-subqueries-cve-2026-1577\" rel=\"nofollow\">Security Bulletin: IBM\u00ae Db2\u00ae is vulnerable to a denial of service with a specially crafted query involving multiple subqueries (CVE-2026-1577)</a></p><p>To use your updated DB2 V11.5 server with your IBM Cloud Application Performance Management product, apply the 8.1.4.0-IBM-APM-SERVER-IF0004 or later server patch to the system where the Cloud APM server is installed. Interim fixes for the Cloud APM server version 8.1.4 are available to download from IBM Fix Central at this link:</p><p><a href=\"https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FIBM+Application+Performance+Management&amp;fixids=8.1.4.0-IBM-APM-SERVER-IF0019&amp;source=SAR&amp;function=fixId&amp;parent=IBM%20Performance%20Management%20family\" rel=\"nofollow\">https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FIBM+Application+Performance+Management&amp;fixids=8.1.4.0-IBM-APM-SERVER-IF0019&amp;source=SAR&amp;function=fixId&amp;parent=IBM%20Performance%20Management%20family</a></p>"}]}], "x_generator": {"engine": "ibm-cvegen"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3676", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-27T14:34:24.394252Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-27T14:37:34.558Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment."}], "id": "CVE-2026-3676", "lastModified": "2026-05-27T14:53:51.833", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "psirt@us.ibm.com", "type": "Primary"}]}, "published": "2026-05-27T14:16:47.123", "references": [{"source": "psirt@us.ibm.com", "url": "https://www.ibm.com/support/pages/node/7273649"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1284"}], "source": "psirt@us.ibm.com", "type": "Primary"}]}

{}

{}