VDB

CISA-2026-2006

CISA-2026-2006 PUBLISHED CVSS 8.8 HIGH

Reported by PostgreSQL · Published February 12, 2026

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Risk Scores

CVSS 3.1
8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
n/aPostgreSQL18, 17, 16
n/aPostgreSQL18, 17, 16

Timeline

  • Feb 12, 2026 CVE Published
  • Feb 26, 2026 CVE Updated

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›