SYS::ONLINE
Wasteland.
Briefs1061
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-10109 2026-06-30

IBM Db2 Pre-Auth RCE (CVE-2026-10109): Critical DRDA Handshake Flaw

"A critical, unauthenticated remote code execution vulnerability in IBM Db2 lets network attackers run arbitrary code by abusing improper handling of the pre-authentication DRDA handshake."

A critical, unauthenticated remote code execution vulnerability in IBM Db2 lets network attackers run arbitrary code by abusing improper handling of the pre-authentication DRDA handshake.

What Is It

CVE-2026-10109 is a remote code execution flaw in IBM Db2 caused by improper handling of the pre-authentication DRDA (Distributed Relational Database Architecture) handshake. Because the weakness is reached before authentication, an attacker needs no credentials and no user interaction to exploit it. IBM's advisory classifies the root cause as CWE-94 (code injection). The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL), with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network-reachable, low complexity, and full impact to confidentiality, integrity, and availability.

Why It Matters

Pre-authentication RCE against a database engine is among the most severe classes of vulnerability. A successful attacker gains code execution on the Db2 host without any prior access, exposing stored data and providing a foothold for lateral movement. The combination of network attack vector, low attack complexity, and no required privileges or interaction (exploitability sub-score 3.9) means exposed Db2 instances are high-value targets. Db2 commonly underpins enterprise and financial workloads, raising the stakes of compromise.

What's Vulnerable

The following IBM Db2 versions are affected:

The flaw is in the DRDA handshake handling, which is exposed on the database's network listener.

Patch Status

IBM has published a security advisory (support node 7277424) covering this vulnerability. Administrators should consult that advisory for the fixed versions and remediation guidance, and prioritize updating affected 11.5.x and 12.1.x deployments given the critical severity and pre-auth network exploitability. Until patched, exposure of Db2 listeners to untrusted networks should be minimized.

Note: This CVE was not present in the supplied CISA KEV data, so there is no confirmation of active exploitation in the wild at this time.

Sources