CVE-2026-2004
PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code
8.8
HIGH
CVSS 3.1
EPSS 0.06%
Description
Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
How to fix CVE-2026-2004
To remediate CVE-2026-2004, upgrade the affected package to a fixed version below.
- —upgrade to 15.16-r0 or later
- —upgrade to 16.12-r0 or later
- —upgrade to 17.8-r0 or later
- —upgrade to 18.2-r0 or later
- —upgrade to 14.21.0 or later
- —upgrade to 13.23-0+deb11u2 or later
- —upgrade to 15.16-0+deb12u1 or later
- —upgrade to 17.8-0+deb13u1 or later
- —upgrade to 18.2-1 or later
Is CVE-2026-2004 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (9)
- from 0, < 15.16-r0
- from 0, < 16.12-r0
- from 0, < 17.8-r0
- from 0, < 18.2-r0
- from 0, < 14.21.0, >= 15.0.0, < 15.16.0, >= 16.0.0, < 16.12.0, >= 17.0.0, < 17.8.0, >= 18.0.0, < 18.2.0
- from 0, < 13.23-0+deb11u2
- from 0, < 15.16-0+deb12u1
- from 0, < 17.8-0+deb13u1
- from 0, < 18.2-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |