CVE-2026-2003
postgresql-17 - security update
4.3
MEDIUM
CVSS 3.1
EPSS 0.02%
Description
Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
How to fix CVE-2026-2003
To remediate CVE-2026-2003, upgrade the affected package to a fixed version below.
- —upgrade to 15.16-r0 or later
- —upgrade to 16.12-r0 or later
- —upgrade to 17.8-r0 or later
- —upgrade to 18.2-r0 or later
- —upgrade to 14.21.0 or later
- —upgrade to 13.23-0+deb11u2 or later
- —upgrade to 15.16-0+deb12u1 or later
- —upgrade to 15.16-0+deb12u1 or later
- —upgrade to 17.8-0+deb13u1 or later
- —upgrade to 17.8-0+deb13u1 or later
- —upgrade to 18.2-1 or later
Is CVE-2026-2003 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (11)
- from 0, < 15.16-r0
- from 0, < 16.12-r0
- from 0, < 17.8-r0
- from 0, < 18.2-r0
- from 0, < 14.21.0, >= 15.0.0, < 15.16.0, >= 16.0.0, < 16.12.0, >= 17.0.0, < 17.8.0, >= 18.0.0, < 18.2.0
- from 0, < 13.23-0+deb11u2
- from 0, < 15.16-0+deb12u1
- from 0, < 15.16-0+deb12u1
- from 0, < 17.8-0+deb13u1
- from 0, < 17.8-0+deb13u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |