CVE-2026-2006
PostgreSQL missing validation of multibyte character length executes arbitrary code
8.8
HIGH
CVSS 3.1
EPSS 0.04%
Description
Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
How to fix CVE-2026-2006
To remediate CVE-2026-2006, upgrade the affected package to a fixed version below.
- —upgrade to 15.16-r0 or later
- —upgrade to 16.12-r0 or later
- —upgrade to 17.8-r0 or later
- —upgrade to 18.2-r0 or later
- —upgrade to 14.21.0 or later
- —upgrade to 13.23-0+deb11u2 or later
- —upgrade to 15.16-0+deb12u1 or later
- —upgrade to 17.8-0+deb13u1 or later
- —upgrade to 18.2-1 or later
Is CVE-2026-2006 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (9)
- from 0, < 15.16-r0
- from 0, < 16.12-r0
- from 0, < 17.8-r0
- from 0, < 18.2-r0
- from 0, < 14.21.0, >= 15.0.0, < 15.16.0, >= 16.0.0, < 16.12.0, >= 17.0.0, < 17.8.0, >= 18.0.0, < 18.2.0
- from 0, < 13.23-0+deb11u2
- from 0, < 15.16-0+deb12u1
- from 0, < 17.8-0+deb13u1
- from 0, < 18.2-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |