A critical, unauthenticated remote code execution vulnerability in IBM Db2 lets network attackers run arbitrary code by abusing improper handling of the pre-authentication DRDA handshake.
What Is It
CVE-2026-10109 is a remote code execution flaw in IBM Db2 caused by improper handling of the pre-authentication DRDA (Distributed Relational Database Architecture) handshake. Because the weakness is reached before authentication, an attacker needs no credentials and no user interaction to exploit it. IBM's advisory classifies the root cause as CWE-94 (code injection). The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL), with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network-reachable, low complexity, and full impact to confidentiality, integrity, and availability.
Why It Matters
Pre-authentication RCE against a database engine is among the most severe classes of vulnerability. A successful attacker gains code execution on the Db2 host without any prior access, exposing stored data and providing a foothold for lateral movement. The combination of network attack vector, low attack complexity, and no required privileges or interaction (exploitability sub-score 3.9) means exposed Db2 instances are high-value targets. Db2 commonly underpins enterprise and financial workloads, raising the stakes of compromise.
What's Vulnerable
The following IBM Db2 versions are affected:
- Db2 11.5.0 through 11.5.9
- Db2 12.1.0 through 12.1.4
The flaw is in the DRDA handshake handling, which is exposed on the database's network listener.
Patch Status
IBM has published a security advisory (support node 7277424) covering this vulnerability. Administrators should consult that advisory for the fixed versions and remediation guidance, and prioritize updating affected 11.5.x and 12.1.x deployments given the critical severity and pre-auth network exploitability. Until patched, exposure of Db2 listeners to untrusted networks should be minimized.
Note: This CVE was not present in the supplied CISA KEV data, so there is no confirmation of active exploitation in the wild at this time.
Sources
- NVD, CVE-2026-10109: https://nvd.nist.gov/vuln/detail/CVE-2026-10109
- IBM Security Advisory (PSIRT): https://www.ibm.com/support/pages/node/7277424