Description
Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
Published: 2026-02-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Disclosure
Action: Patch
AI Analysis

Impact

Improper handling of the OID vector data type in PostgreSQL allows a database user to read a small number of bytes from server memory. The disclosed data may contain sensitive information, though the likelihood of meaningful confidential data being exposed is considered low. The weakness is categorized as an information disclosure vulnerability.

Affected Systems

PostgreSQL installations running any version earlier than 18.2, 17.8, 16.12, 15.16, or 14.21 are affected. Upgrading to the stated or later releases eliminates the flaw.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires a valid database user; an attacker could craft queries that trigger the OID vector handling and read the exposed memory bytes. Given the limited data leakage and the requirement for database credentials, the overall risk to an organization without such credentials is relatively low, but environments with publicly accessible database services should consider mitigation promptly.

Generated by OpenCVE AI on April 18, 2026 at 18:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PostgreSQL to a version not earlier than 18.2, 17.8, 16.12, 15.16, or 14.21 to apply the vendor fix.
  • Restrict database user privileges so that users only have permissions necessary for their roles; limit use of the oidvector data type where possible.
  • Apply network segmentation or firewall rules to restrict external access to the PostgreSQL server, ensuring that only trusted hosts can connect to the database.

Generated by OpenCVE AI on April 18, 2026 at 18:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4524-1 postgresql-13 security update
Debian DSA Debian DSA DSA-6132-1 postgresql-15 security update
Debian DSA Debian DSA DSA-6133-1 postgresql-17 security update
History

Fri, 20 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Postgresql
Postgresql postgresql
Vendors & Products Postgresql
Postgresql postgresql

Fri, 13 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 12 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
Description Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
Title PostgreSQL oidvector discloses a few bytes of memory
Weaknesses CWE-1287
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Postgresql Postgresql
cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-02-12T14:33:37.255Z

Reserved: 2026-02-05T18:17:54.018Z

Link: CVE-2026-2003

cve-icon Vulnrichment

Updated: 2026-02-12T14:33:33.860Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-12T14:16:02.067

Modified: 2026-02-20T19:53:43.333

Link: CVE-2026-2003

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-12T13:00:06Z

Links: CVE-2026-2003 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:15:06Z

Weaknesses