CVE-2026-2006

Summary

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Affected Software

VendorProductVersion RangeStatus
n/aPostgreSQL18 < 18.2affected
n/aPostgreSQL17 < 17.8affected
n/aPostgreSQL16 < 16.12affected
n/aPostgreSQL15 < 15.16affected
n/aPostgreSQL0 < 14.21affected

Weaknesses

  • CWE-129: Improper Validation of Array Index

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

postgresql: PostgreSQL missing validation of multibyte character length executes arbitrary code

Additional References

References