CVE-2026-3676: IBM Db2 APM: DoS via query special element injection
MEDIUMAn authenticated attacker with low privileges can crash IBM Cloud APM 8.1.4 and IBM Db2 by injecting special characters into query logic targeting the Fenced environment, a sandboxed execution layer for external stored procedures. With a CVSS 6.5 and network-accessible attack vector requiring no user interaction, this is exploitable by any authenticated database user — including service accounts commonly provisioned for AI/ML data pipelines. There is no public exploit and no CISA KEV listing, but Db2 instances serving as backend stores for training data, feature stores, or analytics workloads face availability risk if left unpatched. Apply IBM's patch referenced at https://www.ibm.com/support/pages/node/7273649 and audit service accounts with query execution rights on Fenced-enabled instances.
What is the risk?
Medium risk overall. CVSS 6.5 reflects authenticated access requirement (reducing opportunistic exploitation) but the network vector, low complexity, and zero user interaction lower the bar significantly for any insider or compromised service account. AI/ML pipelines that rely on Db2 as a persistent store — including those feeding real-time inference or training jobs — face a targeted availability threat. No EPSS data available and no public exploit reduce immediate urgency, but the Fenced environment is a privileged execution context, and a DoS here can cascade into pipeline stalls or data ingestion failures.
How does the attack unfold?
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Apply the fix referenced in IBM advisory https://www.ibm.com/support/pages/node/7273649 for IBM Cloud APM 8.1.4 and IBM Db2 for Linux/UNIX/Windows.
-
Audit and restrict EXECUTE privileges on Fenced stored procedures to only accounts that require them — principle of least privilege limits blast radius.
-
Enable database audit logging to detect abnormal query patterns with special characters against Fenced routines.
-
For AI/ML pipelines using Db2, add availability monitoring and automatic failover to detect and recover from unexpected Db2 Fenced environment crashes.
-
Until patched, consider disabling or restricting Fenced mode execution for non-essential procedures.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-3676?
An authenticated attacker with low privileges can crash IBM Cloud APM 8.1.4 and IBM Db2 by injecting special characters into query logic targeting the Fenced environment, a sandboxed execution layer for external stored procedures. With a CVSS 6.5 and network-accessible attack vector requiring no user interaction, this is exploitable by any authenticated database user — including service accounts commonly provisioned for AI/ML data pipelines. There is no public exploit and no CISA KEV listing, but Db2 instances serving as backend stores for training data, feature stores, or analytics workloads face availability risk if left unpatched. Apply IBM's patch referenced at https://www.ibm.com/support/pages/node/7273649 and audit service accounts with query execution rights on Fenced-enabled instances.
Is CVE-2026-3676 actively exploited?
No confirmed active exploitation of CVE-2026-3676 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-3676?
1. Apply the fix referenced in IBM advisory https://www.ibm.com/support/pages/node/7273649 for IBM Cloud APM 8.1.4 and IBM Db2 for Linux/UNIX/Windows. 2. Audit and restrict EXECUTE privileges on Fenced stored procedures to only accounts that require them — principle of least privilege limits blast radius. 3. Enable database audit logging to detect abnormal query patterns with special characters against Fenced routines. 4. For AI/ML pipelines using Db2, add availability monitoring and automatic failover to detect and recover from unexpected Db2 Fenced environment crashes. 5. Until patched, consider disabling or restricting Fenced mode execution for non-essential procedures.
What systems are affected by CVE-2026-3676?
This vulnerability affects the following AI/ML architecture patterns: Training pipelines, Data analytics backends, Feature stores, Model monitoring infrastructure.
What is the CVSS score for CVE-2026-3676?
CVE-2026-3676 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.40%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0029 Denial of AI Service AML.T0034 Cost Harvesting AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment.
Exploitation Scenario
An attacker with a compromised low-privilege service account — such as one used by a data ingestion pipeline feeding an ML training job — authenticates to an IBM Db2 instance running the affected version. They craft a query string containing special characters that bypass input validation in the Fenced environment query logic (CWE-1284: improper validation of specified quantity in input). Upon execution, the Fenced daemon crashes, taking down all stored procedures and UDFs running in that context. Downstream AI/ML batch jobs that depend on Db2 stored procedures for feature computation or data transformation silently fail or stall, causing training data corruption by omission or delaying model retraining cycles — creating a subtle, hard-to-detect operational disruption.
Weaknesses (CWE)
CWE-1284 — Improper Validation of Specified Quantity in Input: The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H References
Timeline
Related Vulnerabilities
CVE-2026-33660 10.0 TensorFlow: type confusion NPD in tensor conversion
Same attack type: DoS CVE-2023-25668 9.8 TensorFlow: unauthenticated RCE via heap buffer overflow
Same attack type: DoS CVE-2022-23587 9.8 TensorFlow: integer overflow in Grappler enables RCE
Same attack type: DoS CVE-2022-35939 9.8 TensorFlow: ScatterNd OOB write enables RCE/crash
Same attack type: DoS CVE-2022-41900 9.8 TensorFlow: heap OOB RCE in FractionalMaxPool op
Same attack type: DoS