Description
Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
Published: 2026-02-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

PostgreSQL fails to validate the length of multibyte characters used in text manipulation. A crafted query can overflow a buffer, allowing a database user to run code with the operating system permissions of the database service. The vulnerability enables the attacker to compromise confidentiality, integrity, and availability of the host system.

Affected Systems

Versions of PostgreSQL before 14.21, 15.16, 16.12, 17.8, and 18.2 are affected. Any installation using these releases is susceptible unless the database user account does not have access to construct the vulnerable queries.

Risk and Exploitability

The CVSS score of 8.8 classifies this issue as high severity, and the EPSS score of less than 1% indicates a low current exploitation probability. It is not listed in the CISA KEV catalogue. The most likely attack vector is through a crafted SQL statement sent over a database connection, either locally or remotely if the database is exposed to an untrusted network.

Generated by OpenCVE AI on April 17, 2026 at 20:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PostgreSQL to version 14.21 or later, 15.16 or later, 16.12 or later, 17.8 or later, or 18.2 or later. The vendor advisory outlines the exact patch releases to apply.
  • If upgrading is not immediately possible, restrict database access to only trusted users and architectures that cannot construct multibyte overflow vectors.
  • Apply a network-level firewall rule to limit incoming connections to the database only to trusted subnets, reducing the attack surface for unauthenticated users.
  • Monitor query logs for abnormal multibyte character usage patterns that could indicate attempts to exploit the bug.

Generated by OpenCVE AI on April 17, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4524-1 postgresql-13 security update
Debian DLA Debian DLA DLA-4524-2 postgresql-13 regression update
Debian DSA Debian DSA DSA-6132-1 postgresql-15 security update
Debian DSA Debian DSA DSA-6133-1 postgresql-17 security update
History

Fri, 20 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Postgresql
Postgresql postgresql
Vendors & Products Postgresql
Postgresql postgresql

Fri, 13 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 12 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
Description Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
Title PostgreSQL missing validation of multibyte character length executes arbitrary code
Weaknesses CWE-129
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Postgresql Postgresql
cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-02-26T14:44:21.358Z

Reserved: 2026-02-05T18:17:56.273Z

Link: CVE-2026-2006

cve-icon Vulnrichment

Updated: 2026-02-12T14:19:18.253Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-12T14:16:02.470

Modified: 2026-02-20T19:54:12.520

Link: CVE-2026-2006

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-12T13:00:10Z

Links: CVE-2026-2006 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:15:26Z

Weaknesses