Description
Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
Published: 2026-02-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

A heap buffer overflow in the PostgreSQL pgcrypto extension permits an attacker who can supply ciphertext to the database to execute arbitrary code as the operating system user running PostgreSQL.

Affected Systems

PostgreSQL versions earlier than 18.2, 17.8, 16.12, 15.16, and 14.21 are affected; affected installations must upgrade to the corresponding release or newer.

Risk and Exploitability

The likely attack vector is the delivery of specially crafted ciphertext to pgcrypto, which triggers the overflow; an attacker needs database access to send such data. The flaw carries a CVSS score of 8.8, indicating high severity, while the EPSS score of <1% suggests a relatively low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, but successful exploitation would allow code execution with the privileges of the database process.

Generated by OpenCVE AI on April 17, 2026 at 20:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PostgreSQL to version 18.2 or newer, 17.8 or newer, 16.12 or newer, 15.16 or newer, or 14.21 or newer to remove the vulnerability.
  • If an upgrade cannot be performed immediately, disable the pgcrypto extension or revoke its usage privileges to prevent the overflow from being triggered.
  • Limit database roles so that only trusted users can invoke pgcrypto functions, reducing the window of opportunity for an attacker.

Generated by OpenCVE AI on April 17, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4524-1 postgresql-13 security update
Debian DSA Debian DSA DSA-6132-1 postgresql-15 security update
Debian DSA Debian DSA DSA-6133-1 postgresql-17 security update
History

Fri, 20 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Postgresql
Postgresql postgresql
Vendors & Products Postgresql
Postgresql postgresql

Fri, 13 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 12 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
Description Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
Title PostgreSQL pgcrypto heap buffer overflow executes arbitrary code
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Postgresql Postgresql
cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-02-26T14:44:21.494Z

Reserved: 2026-02-05T18:17:55.613Z

Link: CVE-2026-2005

cve-icon Vulnrichment

Updated: 2026-02-12T14:31:55.897Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-12T14:16:02.350

Modified: 2026-02-20T19:54:02.243

Link: CVE-2026-2005

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-12T13:00:09Z

Links: CVE-2026-2005 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:15:26Z

Weaknesses