VDB
ALPINE-CVE-2025-12818
ALPINE-CVE-2025-12818
PUBLISHED
CVSS 5.900000095367432 MEDIUM
Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.
Risk Scores
CVSS v3.1
5.900000095367432
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alpine:v3.21 | postgresql16 | 16.2-r2, 16.6-r0, 16.3-r1 |
| Alpine:v3.23 | postgresql18 | 0, 18.0-r0, 18.0-r0 |
| Alpine:v3.22 | postgresql17 | 17.4-r4, 17.4-r3, 17.4-r2 |
| Alpine:v3.23 | postgresql17 | 17.6-r0, 17.5-r1, 17.5-r0 |
| Alpine:v3.21 | postgresql17 | 17.0-r1, 0, 17.0-r0 |
| Alpine:v3.22 | postgresql16 | 16.2-r3, 16.9-r0, 16.8-r4 |
| Alpine:v3.19 | postgresql15 | 15.5-r0, 0, 15.1-r0 |
| Alpine:v3.20 | postgresql15 | 15.2-r2, 15.2-r0, 15.14-r0 |
| Alpine:v3.20 | postgresql16 | 16.9-r0, 16.3-r0, 16.4-r0 |
| Alpine:v3.19 | postgresql16 | 0, 16.0-r1, 16.0-r2 |
Timeline
- Nov 13, 2025 CVE Published
- Dec 3, 2025 CVE Updated
- Apr 30, 2026 Distribution Patch